Guide to the Secure Configuration of Red Hat Enterprise Linux 8
with profile CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - ServerThis profile defines a baseline that aligns to the "Level 2 - Server" configuration from the Center for Internet Security® Red Hat Enterprise Linux 8 Benchmark™, v2.0.0, released 2022-02-23. This profile includes Center for Internet Security® Red Hat Enterprise Linux 8 CIS Benchmarks™ content.
https://www.open-scap.org/security-policies/scap-security-guide
scap-security-guide package which is developed at
https://www.open-scap.org/security-policies/scap-security-guide.
Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance.
Evaluation Characteristics
| Evaluation target | ciclvl2-rhel84 |
|---|---|
| Benchmark URL | /tmp/ssg-rhel8-ds.xml |
| Benchmark ID | xccdf_org.ssgproject.content_benchmark_RHEL-8 |
| Benchmark version | 0.1.64 |
| Profile ID | xccdf_org.ssgproject.content_profile_cis |
| Started at | 2022-11-07T15:05:07+00:00 |
| Finished at | 2022-11-07T15:05:53+00:00 |
| Performed by | azureuser |
| Test system | cpe:/a:redhat:openscap:1.3.4 |
CPE Platforms
- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:redhat:enterprise_linux:8.4
- cpe:/o:redhat:enterprise_linux:8.0
- cpe:/o:redhat:enterprise_linux:8.1
- cpe:/o:redhat:enterprise_linux:8.2
- cpe:/o:redhat:enterprise_linux:8.3
- cpe:/o:redhat:enterprise_linux:8.5
- cpe:/o:redhat:enterprise_linux:8.6
- cpe:/o:redhat:enterprise_linux:8.7
- cpe:/o:redhat:enterprise_linux:8.8
- cpe:/o:redhat:enterprise_linux:8.9
- cpe:/o:redhat:enterprise_linux:8.10
Addresses
- IPv4 127.0.0.1
- IPv4 10.0.0.12
- IPv6 0:0:0:0:0:0:0:1
- IPv6 fe80:0:0:0:6245:bdff:fec2:b9
- MAC 00:00:00:00:00:00
- MAC 60:45:BD:C2:00:B9
Compliance and Scoring
Rule results
Severity of failed rules
Score
| Scoring system | Score | Maximum | Percent |
|---|---|---|---|
| urn:xccdf:scoring:default | 93.864449 | 100.000000 |
Rule Overview
Result Details
Install AIDE
| Rule ID | xccdf_org.ssgproject.content_rule_package_aide_installed |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_aide_installed:def:1 |
| Time | 2022-11-07T15:05:07+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80844-4 References: BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r809354_rule |
| Description | The aide package can be installed with the following command:
$ sudo yum install aide |
| Rationale | The AIDE package must be installed if it is to be available for integrity checking. |
package aide is installed oval:ssg-test_package_aide_installed:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_aide_installed:obj:1 of type rpminfo_object
| Name |
|---|
| aide |
Build and Test AIDE Database
| Rule ID | xccdf_org.ssgproject.content_rule_aide_build_database |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-aide_build_database:def:1 |
| Time | 2022-11-07T15:05:07+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80675-2 References: BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1 |
| Description | Run the following command to generate a new database:
$ sudo /usr/sbin/aide --initBy default, the database will be written to the file /var/lib/aide/aide.db.new.gz.
Storing the database, the configuration file /etc/aide.conf, and the binary
/usr/sbin/aide
(or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity.
The newly-generated database can be installed as follows:
$ sudo cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gzTo initiate a manual check, run the following command: $ sudo /usr/sbin/aide --checkIf this check produces any unexpected output, investigate. |
| Rationale | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. |
package aide is installed oval:ssg-test_package_aide_installed:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_aide_installed:obj:1 of type rpminfo_object
| Name |
|---|
| aide |
Testing existence of new aide database file oval:ssg-test_aide_build_new_database_absolute_path:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_aide_build_new_database_absolute_path:obj:1 of type file_object
| Filepath |
|---|
| Referenced variable has no values (oval:ssg-variable_aide_build_new_database_absolute_path:var:1). |
Testing existence of operational aide database file oval:ssg-test_aide_operational_database_absolute_path:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_aide_operational_database_absolute_path:obj:1 of type file_object
| Filepath |
|---|
| Referenced variable has no values (oval:ssg-variable_aide_operational_database_absolute_path:var:1) |
Configure Periodic Execution of AIDE
| Rule ID | xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-aide_periodic_cron_checking:def:1 |
| Time | 2022-11-07T15:05:07+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80676-0 References: BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2 |
| Description | At a minimum, AIDE should be configured to run a weekly scan.
To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:
05 4 * * * root /usr/sbin/aide --checkTo implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:
05 4 * * 0 root /usr/sbin/aide --checkAIDE can be executed periodically through other means; this is merely one example. The usage of cron's special time codes, such as @daily and
@weekly is acceptable. |
| Rationale | By default, AIDE does not install itself for periodic execution. Periodically
running AIDE is necessary to reveal unexpected changes in installed files.
Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security. Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item. |
package aide is installed oval:ssg-test_package_aide_installed:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_aide_installed:obj:1 of type rpminfo_object
| Name |
|---|
| aide |
run aide with cron oval:ssg-test_aide_periodic_cron_checking:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_test_aide_periodic_cron_checking:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/crontab | ^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*(\*|([0-7]|mon|tue|wed|thu|fri|sat|sun)|[0-7]-[0-7]))|@(hourly|daily|weekly))[\s]*root[\s]*\/usr\/sbin\/aide[\s]*\-\-check.*$ | 1 |
run aide with cron oval:ssg-test_aide_crond_checking:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_test_aide_crond_checking:obj:1 of type textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|---|---|---|
| /etc/cron.d | ^.*$ | ^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*(\*|([0-7]|mon|tue|wed|thu|fri|sat|sun)|[0-7]-[0-7]))|@(hourly|daily|weekly))[\s]*root[\s]*\/usr\/sbin\/aide[\s]*\-\-check.*$ | 1 |
run aide with cron oval:ssg-test_aide_var_cron_checking:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_aide_var_cron_checking:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /var/spool/cron/root | ^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*(\*|([0-7]|mon|tue|wed|thu|fri|sat|sun)|[0-7]-[0-7]))|@(hourly|daily|weekly))[\s]*(root)?[\s]*\/usr\/sbin\/aide[\s]*\-\-check.*$ | 1 |
run aide with cron.(daily|weekly) oval:ssg-test_aide_crontabs_checking:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_aide_crontabs_checking:obj:1 of type textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|---|---|---|
| ^/etc/cron.(daily|weekly)$ | ^.*$ | ^\s*\/usr\/sbin\/aide[\s]*\-\-check.*$ | 1 |
Configure System Cryptography Policy
| Rule ID | xccdf_org.ssgproject.content_rule_configure_crypto_policy |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-configure_crypto_policy:def:1 |
| Time | 2022-11-07T15:05:07+00:00 |
| Severity | high |
| Identifiers and References | Identifiers: CCE-80935-0 References: 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, RHEL-08-010020, 1.10, 1.11, SV-230223r792855_rule |
| Description | To configure the system cryptography policy to use ciphers only from the DEFAULT
policy, run the following command:
$ sudo update-crypto-policies --set DEFAULTThe rule checks if settings for selected crypto policy are configured as expected. Configuration files in the /etc/crypto-policies/back-ends are either symlinks to correct files provided by Crypto-policies package or they are regular files in case crypto policy customizations are applied.
Crypto policies may be customized by crypto policy modules, in which case it is delimited from the base policy using a colon. |
| Rationale | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. |
| Warnings | warning
The system needs to be rebooted for these changes to take effect. warning
System Crypto Modules must be provided by a vendor that undergoes
FIPS-140 certifications.
FIPS-140 is applicable to all Federal agencies that use
cryptographic-based security systems to protect sensitive information
in computer and telecommunication systems (including voice systems) as
defined in Section 5131 of the Information Technology Management Reform
Act of 1996, Public Law 104-106. This standard shall be used in
designing and implementing cryptographic modules that Federal
departments and agencies operate or are operated for them under
contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf
To meet this, the system has to have cryptographic software provided by
a vendor that has undergone this certification. This means providing
documentation, test results, design information, and independent third
party review by an accredited lab. While open source software is
capable of meeting this, it does not meet FIPS-140 unless the vendor
submits to this process. |
check for crypto policy correctly configured in /etc/crypto-policies/config oval:ssg-test_configure_crypto_policy:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/crypto-policies/config | DEFAULT |
check for crypto policy correctly configured in /etc/crypto-policies/state/current oval:ssg-test_configure_crypto_policy_current:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/crypto-policies/state/current | DEFAULT |
Check if update-crypto-policies has been run oval:ssg-test_crypto_policies_updated:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-variable_crypto_policies_config_file_timestamp:var:1 | 1646043042 |
Check if /etc/crypto-policies/back-ends/nss.config exists oval:ssg-test_crypto_policy_nss_config:tst:1 true
Following items have been found on the system:
| Path | Type | UID | GID | Size (B) | Permissions |
|---|---|---|---|---|---|
| /etc/crypto-policies/back-ends/nss.config | regular | 0 | 0 | 429 | rw-r--r-- |
Configure SSH to use System Crypto Policy
| Rule ID | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-configure_ssh_crypto_policy:def:1 |
| Time | 2022-11-07T15:05:07+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80939-2 References: CCI-001453, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, FCS_SSHC_EXT.1, SRG-OS-000250-GPOS-00093, RHEL-08-010287, 5.2.14, SV-244526r809334_rule |
| Description | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
SSH is supported by crypto policy, but the SSH configuration may be
set up to ignore it.
To check that Crypto Policies settings are configured correctly, ensure that
the CRYPTO_POLICY variable is either commented or not set at all
in the /etc/sysconfig/sshd. |
| Rationale | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. |
Check that the SSH configuration mandates usage of system-wide crypto policies. oval:ssg-test_configure_ssh_crypto_policy:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_configure_ssh_crypto_policy:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/sysconfig/sshd | ^\s*(?i)CRYPTO_POLICY\s*=.*$ | 1 |
Ensure /home Located On Separate Partition
| Rule ID | xccdf_org.ssgproject.content_rule_partition_for_home |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-partition_for_home:def:1 |
| Time | 2022-11-07T15:05:07+00:00 |
| Severity | low |
| Identifiers and References | Identifiers: CCE-81044-0 References: BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, CCI-001208, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-010800, 1.1.7.1, SV-230328r627750_rule |
| Description | If user home directories will be stored locally, create a separate partition
for /home at installation time (or migrate it later using LVM). If
/home will be mounted from another system such as an NFS server, then
creating a separate partition is not necessary at installation time, and the
mountpoint can instead be configured later. |
| Rationale | Ensuring that /home is mounted on its own partition enables the
setting of more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage. |
/home on own partition oval:ssg-testhome_partition:tst:1 true
Following items have been found on the system:
| Mount point | Device | Uuid | Fs type | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Total space | Space used | Space left |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| /home | /dev/mapper/rootvg-homelv | 841c3ec8-e576-405d-80ff-4ae2bf8883ad | xfs | rw | seclabel | nosuid | nodev | relatime | attr2 | inode64 | logbufs=8 | logbsize=32k | noquota | bind | 259584 | 46642 | 212942 |
Ensure /tmp Located On Separate Partition
| Rule ID | xccdf_org.ssgproject.content_rule_partition_for_tmp |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-partition_for_tmp:def:1 |
| Time | 2022-11-07T15:05:07+00:00 |
| Severity | low |
| Identifiers and References | Identifiers: CCE-80851-9 References: BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-010543, 1.1.2.1, SV-230295r627750_rule |
| Description | The /tmp directory is a world-writable directory used
for temporary file storage. Ensure it has its own partition or
logical volume at installation time, or migrate it using LVM. |
| Rationale | The /tmp partition is used as temporary storage by many programs.
Placing /tmp in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it. |
/tmp on own partition oval:ssg-testtmp_partition:tst:1 true
Following items have been found on the system:
| Mount point | Device | Uuid | Fs type | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Total space | Space used | Space left |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| /tmp | /dev/mapper/rootvg-tmplv | 10a53d6f-3d9b-403a-a691-083632225621 | xfs | rw | seclabel | nosuid | nodev | noexec | relatime | attr2 | inode64 | logbufs=8 | logbsize=32k | noquota | bind | 521728 | 24697 | 497031 |
Ensure /var Located On Separate Partition
| Rule ID | xccdf_org.ssgproject.content_rule_partition_for_var |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-partition_for_var:def:1 |
| Time | 2022-11-07T15:05:07+00:00 |
| Severity | low |
| Identifiers and References | Identifiers: CCE-80852-7 References: BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, SRG-OS-000341-VMM-001220, RHEL-08-010540, 1.1.3.1, SV-230292r627750_rule |
| Description | The /var directory is used by daemons and other system
services to store frequently-changing data. Ensure that /var has its own partition
or logical volume at installation time, or migrate it using LVM. |
| Rationale | Ensuring that /var is mounted on its own partition enables the
setting of more restrictive mount options. This helps protect
system services such as daemons or other programs which use it.
It is not uncommon for the /var directory to contain
world-writable directories installed by other software packages. |
/var on own partition oval:ssg-testvar_partition:tst:1 true
Following items have been found on the system:
| Mount point | Device | Uuid | Fs type | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Total space | Space used | Space left |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| /var | /dev/mapper/rootvg-varlv | 2e953a84-ce4d-4d23-9527-029c4011938c | xfs | rw | seclabel | nosuid | nodev | noexec | relatime | attr2 | inode64 | logbufs=8 | logbsize=32k | noquota | bind | 2094592 | 145273 | 1949319 |
Ensure /var/log Located On Separate Partition
| Rule ID | xccdf_org.ssgproject.content_rule_partition_for_var_log |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-partition_for_var_log:def:1 |
| Time | 2022-11-07T15:05:07+00:00 |
| Severity | low |
| Identifiers and References | Identifiers: CCE-80853-5 References: BP28(R12), BP28(R47), 1, 12, 14, 15, 16, 3, 5, 6, 8, APO11.04, APO13.01, BAI03.05, DSS05.02, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, CIP-007-3 R6.5, CM-6(a), AU-4, SC-5(2), PR.PT-1, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-010541, 1.1.5.1, SV-230293r627750_rule |
| Description | System logs are stored in the /var/log directory.
Ensure that /var/log has its own partition or logical
volume at installation time, or migrate it using LVM. |
| Rationale | Placing /var/log in its own partition
enables better separation between log files
and other files in /var/. |
/var/log on own partition oval:ssg-testvar_log_partition:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_mountvar_log_own_partition:obj:1 of type partition_object
| Mount point |
|---|
| /var/log |
Ensure /var/log/audit Located On Separate Partition
| Rule ID | xccdf_org.ssgproject.content_rule_partition_for_var_log_audit |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-partition_for_var_log_audit:def:1 |
| Time | 2022-11-07T15:05:07+00:00 |
| Severity | low |
| Identifiers and References | Identifiers: CCE-80854-3 References: BP28(R43), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 8, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS05.02, DSS05.04, DSS05.07, MEA02.01, CCI-000366, CCI-001849, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.2, SR 7.6, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.17.2.1, CIP-007-3 R6.5, CM-6(a), AU-4, SC-5(2), PR.DS-4, PR.PT-1, PR.PT-4, FMT_SMF_EXT.1, SRG-OS-000341-GPOS-00132, SRG-OS-000480-GPOS-00227, SRG-OS-000341-VMM-001220, RHEL-08-010542, 1.1.6.1, SV-230294r627750_rule |
| Description | Audit logs are stored in the /var/log/audit directory.
Ensure that /var/log/audit has its own partition or logical
volume at installation time, or migrate it using LVM.
Make absolutely certain that it is large enough to store all
audit logs that will be created by the auditing daemon. |
| Rationale | Placing /var/log/audit in its own partition
enables better separation between audit files
and other files, and helps ensure that
auditing cannot be halted due to the partition running out
of space. |
/var/log/audit on own partition oval:ssg-testvar_log_audit_partition:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_mountvar_log_audit_own_partition:obj:1 of type partition_object
| Mount point |
|---|
| /var/log/audit |
Ensure /var/tmp Located On Separate Partition
| Rule ID | xccdf_org.ssgproject.content_rule_partition_for_var_tmp |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-partition_for_var_tmp:def:1 |
| Time | 2022-11-07T15:05:07+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82730-3 References: BP28(R12), SRG-OS-000480-GPOS-00227, RHEL-08-010544, 1.1.4.1, SV-244529r743836_rule |
| Description | The /var/tmp directory is a world-writable directory used
for temporary file storage. Ensure it has its own partition or
logical volume at installation time, or migrate it using LVM. |
| Rationale | The /var/tmp partition is used as temporary storage by many programs.
Placing /var/tmp in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it. |
/var/tmp on own partition oval:ssg-testvar_tmp_partition:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_mountvar_tmp_own_partition:obj:1 of type partition_object
| Mount point |
|---|
| /var/tmp |
Make sure that the dconf databases are up-to-date with regards to respective keyfiles
| Rule ID | xccdf_org.ssgproject.content_rule_dconf_db_up_to_date |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-07T15:05:07+00:00 |
| Severity | high |
| Identifiers and References | Identifiers: CCE-81003-6 References: 164.308(a)(1)(ii)(B), 164.308(a)(5)(ii)(A), SRG-OS-000480-GPOS-00227, 1.8.2 |
| Description | By default, DConf uses a binary database as a data backend.
The system-level database is compiled from keyfiles in the /etc/dconf/db/
directory by the dconf updatecommand. More specifically, content present in the following directories: /etc/dconf/db/gdm.d /etc/dconf/db/local.d |
| Rationale | Unlike text-based keyfiles, the binary database is impossible to check by OVAL.
Therefore, in order to evaluate dconf configuration, both have to be true at the same time -
configuration files have to be compliant, and the database needs to be more recent than those keyfiles,
which gives confidence that it reflects them. |
Install sudo Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_sudo_installed |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_sudo_installed:def:1 |
| Time | 2022-11-07T15:05:07+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82214-8 References: BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125, 5.3.1 |
| Description | The sudo package can be installed with the following command:
$ sudo yum install sudo |
| Rationale | sudo is a program designed to allow a system administrator to give
limited root privileges to users and log root activity. The basic philosophy
is to give as few privileges as possible but still allow system users to
get their work done. |
package sudo is installed oval:ssg-test_package_sudo_installed:tst:1 true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| sudo | x86_64 | (none) | 7.el8_4.1 | 1.8.29 | 0:1.8.29-7.el8_4.1 | 199e2f91fd431d51 | sudo-0:1.8.29-7.el8_4.1.x86_64 |
Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty
| Rule ID | xccdf_org.ssgproject.content_rule_sudo_add_use_pty |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sudo_add_use_pty:def:1 |
| Time | 2022-11-07T15:05:07+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83798-9 |
| Description | The sudo use_pty tag, when specified, will only execute sudo
commands from users logged in to a real tty.
This should be enabled by making sure that the use_pty tag exists in
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/. |
| Rationale | Requiring that sudo commands be run in a pseudo-terminal can prevent an attacker from retaining
access to the user's terminal after the main program has finished executing. |
use_pty exists in /etc/sudoers or /etc/sudoers.d/ oval:ssg-test_use_pty_sudoers:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/sudoers | Defaults use_pty |
Ensure Sudo Logfile Exists - sudo logfile
| Rule ID | xccdf_org.ssgproject.content_rule_sudo_custom_logfile |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sudo_custom_logfile:def:1 |
| Time | 2022-11-07T15:05:07+00:00 |
| Severity | low |
| Identifiers and References | Identifiers: CCE-83601-5 References: 5.3.3 |
| Description | A custom log sudo file can be configured with the 'logfile' tag. This rule configures
a sudo custom logfile at the default location suggested by CIS, which uses
/var/log/sudo.log. |
| Rationale | A sudo log file simplifies auditing of sudo commands. |
logfile exists in /etc/sudoers or /etc/sudoers.d/ oval:ssg-test_logfile_sudoers:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_logfile_sudoers:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^/etc/sudoers(|\.d/.*)$ | ^[\s]*Defaults[\s]*\blogfile=("(?:\\"|\\\\|[^"\\\n])*"\B|[^"](?:(?:\\,|\\"|\\ |\\\\|[^", \\\n])*)\b).*$ | 1 |
Ensure Users Re-Authenticate for Privilege Escalation - sudo
| Rule ID | xccdf_org.ssgproject.content_rule_sudo_require_authentication |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sudo_require_authentication:def:1 |
| Time | 2022-11-07T15:05:07+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82279-1 References: 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, 5.3.4 |
| Description | The sudo NOPASSWD and !authenticate option, when
specified, allows a user to execute commands using sudo without having to
authenticate. This should be disabled by making sure that
NOPASSWD and/or !authenticate do not exist in
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/." |
| Rationale | Without re-authentication, users may access resources or perform tasks for which they
do not have authorization.
When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate. |
!authenticate does not exist in /etc/sudoers oval:ssg-test_no_authenticate_etc_sudoers:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_no_authenticate_etc_sudoers:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/sudoers | ^(?!#).*[\s]+\!authenticate.*$ | 1 |
!authenticate does not exist in /etc/sudoers.d oval:ssg-test_no_authenticate_etc_sudoers_d:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_no_authenticate_etc_sudoers_d:obj:1 of type textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|---|---|---|
| /etc/sudoers.d | ^.*$ | ^(?!#).*[\s]+\!authenticate.*$ | 1 |
NOPASSWD does not exist /etc/sudoers oval:ssg-test_nopasswd_etc_sudoers:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_nopasswd_etc_sudoers:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/sudoers | ^(?!#).*[\s]+NOPASSWD[\s]*\:.*$ | 1 |
NOPASSWD does not exist in /etc/sudoers.d oval:ssg-test_nopasswd_etc_sudoers_d:tst:1 false
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/sudoers.d/90-cloud-init-users | azureuser ALL=(ALL) NOPASSWD:ALL |
The operating system must require Re-Authentication when using the sudo command. Ensure sudo timestamp_timeout is appropriate - sudo timestamp_timeout
| Rule ID | xccdf_org.ssgproject.content_rule_sudo_require_reauthentication |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sudo_require_reauthentication:def:1 |
| Time | 2022-11-07T15:05:07+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-87838-9 References: CCI-002038, IA-11, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, RHEL-08-010384, 5.3.5, SV-237643r838720_rule |
| Description | The sudo timestamp_timeout tag sets the amount of time sudo password prompt waits.
The default timestamp_timeout value is 5 minutes.
The timestamp_timeout should be configured by making sure that the
timestamp_timeout tag exists in
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/.
If the value is set to an integer less than 0, the user's time stamp will not expire
and the user will not have to re-authenticate for privileged actions until the user's session is terminated. |
| Rationale | Without re-authentication, users may access resources or perform tasks for which they
do not have authorization.
When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate. |
check correct configuration in /etc/sudoers oval:ssg-test_sudo_timestamp_timeout:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/sudoers | Defaults timestamp_timeout=5 |
Ensure gpgcheck Enabled In Main yum Configuration
| Rule ID | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-ensure_gpgcheck_globally_activated:def:1 |
| Time | 2022-11-07T15:05:07+00:00 |
| Severity | high |
| Identifiers and References | Identifiers: CCE-80790-9 References: BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, RHEL-08-010370, 1.2.3, SV-230264r627750_rule |
| Description | The gpgcheck option controls whether
RPM packages' signatures are always checked prior to installation.
To configure yum to check package signatures before installing
them, ensure the following line appears in /etc/yum.conf in
the [main] section:
gpgcheck=1 |
| Rationale | Changes to any software components can have significant effects on the
overall security of the operating system. This requirement ensures the
software has not been tampered with and that it has been provided by a
trusted vendor.
Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA). |
check value of gpgcheck in /etc/yum.conf oval:ssg-test_ensure_gpgcheck_globally_activated:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/yum.conf | gpgcheck=1 |
Verify Group Ownership of System Login Banner
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_etc_issue |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_groupowner_etc_issue:def:1 |
| Time | 2022-11-07T15:05:07+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83708-8 References: 1.7.5 |
| Description |
To properly set the group owner of /etc/issue, run the command:
$ sudo chgrp root /etc/issue |
| Rationale | Display of a standardized and approved use notification before granting
access to the operating system ensures privacy and security notification
verbiage used is consistent with applicable federal laws, Executive Orders,
directives, policies, regulations, standards, and guidance. Proper group ownership will ensure that only root user can modify the banner. |
Testing group ownership of /etc/issue oval:ssg-test_file_groupowner_etc_issue_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_etc_issue_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| /etc/issue | oval:ssg-symlink_file_groupowner_etc_issue_uid_0:ste:1 | oval:ssg-state_file_groupowner_etc_issue_gid_0_0:ste:1 |
Verify Group Ownership of Message of the Day Banner
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_etc_motd |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_groupowner_etc_motd:def:1 |
| Time | 2022-11-07T15:05:07+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83728-6 References: 1.7.4 |
| Description |
To properly set the group owner of /etc/motd, run the command:
$ sudo chgrp root /etc/motd |
| Rationale | Display of a standardized and approved use notification before granting
access to the operating system ensures privacy and security notification
verbiage used is consistent with applicable federal laws, Executive Orders,
directives, policies, regulations, standards, and guidance. Proper group ownership will ensure that only root user can modify the banner. |
Testing group ownership of /etc/motd oval:ssg-test_file_groupowner_etc_motd_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_etc_motd_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| /etc/motd | oval:ssg-symlink_file_groupowner_etc_motd_uid_0:ste:1 | oval:ssg-state_file_groupowner_etc_motd_gid_0_0:ste:1 |
Verify ownership of System Login Banner
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_etc_issue |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_owner_etc_issue:def:1 |
| Time | 2022-11-07T15:05:07+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83718-7 References: 1.7.5 |
| Description |
To properly set the owner of /etc/issue, run the command:
$ sudo chown root /etc/issue |
| Rationale | Display of a standardized and approved use notification before granting
access to the operating system ensures privacy and security notification
verbiage used is consistent with applicable federal laws, Executive Orders,
directives, policies, regulations, standards, and guidance. Proper ownership will ensure that only root user can modify the banner. |
Testing user ownership of /etc/issue oval:ssg-test_file_owner_etc_issue_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_etc_issue_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| /etc/issue | oval:ssg-symlink_file_owner_etc_issue_uid_0:ste:1 | oval:ssg-state_file_owner_etc_issue_uid_0_0:ste:1 |
Verify ownership of Message of the Day Banner
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_etc_motd |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_owner_etc_motd:def:1 |
| Time | 2022-11-07T15:05:07+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83738-5 References: 1.7.4 |
| Description |
To properly set the owner of /etc/motd, run the command:
$ sudo chown root /etc/motd |
| Rationale | Display of a standardized and approved use notification before granting
access to the operating system ensures privacy and security notification
verbiage used is consistent with applicable federal laws, Executive Orders,
directives, policies, regulations, standards, and guidance. Proper ownership will ensure that only root user can modify the banner. |
Testing user ownership of /etc/motd oval:ssg-test_file_owner_etc_motd_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_etc_motd_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| /etc/motd | oval:ssg-symlink_file_owner_etc_motd_uid_0:ste:1 | oval:ssg-state_file_owner_etc_motd_uid_0_0:ste:1 |
Limit Password Reuse: password-auth
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_pam_pwhistory_remember_password_auth:def:1 |
| Time | 2022-11-07T15:05:07+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83478-8 References: 1, 12, 15, 16, 5, 5.6.2.1.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.8, CCI-000200, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(f), IA-5(1)(e), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.5, SRG-OS-000077-GPOS-00045, SRG-OS-000077-VMM-000440, RHEL-08-020220, 5.5.3, SV-230368r810414_rule |
| Description | Do not allow users to reuse recent passwords. This can be accomplished by using the
remember option for the pam_pwhistory PAM module.
In the file /etc/pam.d/password-auth, make sure the parameter
remember is present and it has a value equal to or greater than
5. For example:
password control_flag pam_pwhistory.so ...existing_options... remember=5 use_authtokcontrol_flag should be one of the next values: required |
| Rationale | Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user. |
| Warnings | warning
If the system relies on authselect tool to manage PAM settings, the remediation
will also use authselect tool. However, if any manual modification was made in
PAM files, the authselect integrity check will fail and the remediation will be
aborted in order to preserve intentional changes. In this case, an informative message will
be shown in the remediation report. |
check the configuration of /etc/pam.d/password-auth oval:ssg-test_accounts_password_pam_pwhistory_remember_password_auth:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/pam.d/password-auth | password required pam_pwhistory.so remember=5 |
Limit Password Reuse: system-auth
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_pam_pwhistory_remember_system_auth:def:1 |
| Time | 2022-11-07T15:05:07+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83480-4 References: 1, 12, 15, 16, 5, 5.6.2.1.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.8, CCI-000200, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(f), IA-5(1)(e), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.5, SRG-OS-000077-GPOS-00045, SRG-OS-000077-VMM-000440, RHEL-08-020221, 5.5.3, SV-251717r810415_rule |
| Description | Do not allow users to reuse recent passwords. This can be accomplished by using the
remember option for the pam_pwhistory PAM module.
In the file /etc/pam.d/system-auth, make sure the parameter
remember is present and it has a value equal to or greater than
5
For example:
password control_flag pam_pwhistory.so ...existing_options... remember=5 use_authtokcontrol_flag should be one of the next values: required |
| Rationale | Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user. |
| Warnings | warning
If the system relies on authselect tool to manage PAM settings, the remediation
will also use authselect tool. However, if any manual modification was made in
PAM files, the authselect integrity check will fail and the remediation will be
aborted in order to preserve intentional changes. In this case, an informative message will
be shown in the remediation report. |
check the configuration of /etc/pam.d/system-auth oval:ssg-test_accounts_password_pam_pwhistory_remember_system_auth:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/pam.d/system-auth | password required pam_pwhistory.so remember=5 |
Lock Accounts After Failed Password Attempts
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_passwords_pam_faillock_deny:def:1 |
| Time | 2022-11-07T15:05:07+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80667-9 References: BP28(R18), 1, 12, 15, 16, 5.5.3, DSS05.04, DSS05.10, DSS06.10, 3.1.8, CCI-000044, CCI-002236, CCI-002237, CCI-002238, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(a), PR.AC-7, FIA_AFL.1, Req-8.1.6, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, SRG-OS-000021-VMM-000050, RHEL-08-020010, 5.4.2, 5.5.2, SV-230332r627750_rule |
| Description | This rule configures the system to lock out accounts after a number of incorrect login attempts
using pam_faillock.so.
pam_faillock.so module requires multiple entries in pam files. These entries must be carefully
defined to work as expected. In order to avoid errors when manually editing these files, it is
recommended to use the appropriate tools, such as authselect or authconfig,
depending on the OS version. |
| Rationale | By limiting the number of failed logon attempts, the risk of unauthorized system access via
user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking
the account. |
| Warnings | warning
If the system relies on authselect tool to manage PAM settings, the remediation
will also use authselect tool. However, if any manual modification was made in
PAM files, the authselect integrity check will fail and the remediation will be
aborted in order to preserve intentional changes. In this case, an informative message will
be shown in the remediation report.
If the system supports the /etc/security/faillock.conf file, the pam_faillock
parameters should be defined in faillock.conf file. |
No more than one pam_unix.so is expected in auth section of system-auth oval:ssg-test_accounts_passwords_pam_faillock_deny_system_pam_unix_auth:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_system_pam_unix_auth:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^[\s]*auth\N+pam_unix\.so | ^/etc/pam.d/system-auth$ | 1 |
No more than one pam_unix.so is expected in auth section of password-auth oval:ssg-test_accounts_passwords_pam_faillock_deny_password_pam_unix_auth:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_password_pam_unix_auth:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^[\s]*auth\N+pam_unix\.so | ^/etc/pam.d/password-auth$ | 1 |
One and only one occurrence is expected in auth section of system-auth oval:ssg-test_accounts_passwords_pam_faillock_deny_system_pam_faillock_auth:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/pam.d/system-auth | auth required pam_faillock.so preauth silent auth sufficient pam_unix.so nullok try_first_pass auth required pam_faillock.so authfail |
One and only one occurrence is expected in auth section of system-auth oval:ssg-test_accounts_passwords_pam_faillock_deny_system_pam_faillock_account:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/pam.d/system-auth | account required pam_faillock.so account required pam_unix.so |
One and only one occurrence is expected in auth section of password-auth oval:ssg-test_accounts_passwords_pam_faillock_deny_password_pam_faillock_auth:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/pam.d/password-auth | auth required pam_faillock.so preauth silent auth sufficient pam_unix.so nullok try_first_pass auth required pam_faillock.so authfail |
One and only one occurrence is expected in auth section of password-auth oval:ssg-test_accounts_passwords_pam_faillock_deny_password_pam_faillock_account:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/pam.d/password-auth | account required pam_faillock.so account required pam_unix.so |
Check the expected deny value in system-auth oval:ssg-test_accounts_passwords_pam_faillock_deny_parameter_pamd_system:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_parameter_pamd_system:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance | ||
|---|---|---|---|---|
| ^/etc/pam.d/system-auth$ | 1 |
Check the expected deny value in password-auth oval:ssg-test_accounts_passwords_pam_faillock_deny_parameter_pamd_password:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_parameter_pamd_password:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance | ||
|---|---|---|---|---|
| ^/etc/pam.d/password-auth$ | 1 |
Check the absence of deny parameter in /etc/security/faillock.conf oval:ssg-test_accounts_passwords_pam_faillock_deny_parameter_no_faillock_conf:tst:1 false
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/security/faillock.conf | deny = 3 |
Check the absence of deny parameter in system-auth oval:ssg-test_accounts_passwords_pam_faillock_deny_parameter_no_pamd_system:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_parameter_pamd_system:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*deny=([0-9]+) | ^/etc/pam.d/system-auth$ | 1 |
Check the absence of deny parameter in password-auth oval:ssg-test_accounts_passwords_pam_faillock_deny_parameter_no_pamd_password:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_parameter_pamd_password:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*deny=([0-9]+) | ^/etc/pam.d/password-auth$ | 1 |
Check the expected deny value in in /etc/security/faillock.conf oval:ssg-test_accounts_passwords_pam_faillock_deny_parameter_faillock_conf:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/security/faillock.conf | deny = 3 |
Set Lockout Time for Failed Password Attempts
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_passwords_pam_faillock_unlock_time:def:1 |
| Time | 2022-11-07T15:05:07+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80670-3 References: BP28(R18), 1, 12, 15, 16, 5.5.3, DSS05.04, DSS05.10, DSS06.10, 3.1.8, CCI-000044, CCI-002236, CCI-002237, CCI-002238, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(b), PR.AC-7, FIA_AFL.1, Req-8.1.7, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, SRG-OS-000329-VMM-001180, RHEL-08-020016, 5.4.2, SV-230338r627750_rule |
| Description | This rule configures the system to lock out accounts during a specified time period after a
number of incorrect login attempts using pam_faillock.so.
pam_faillock.so module requires multiple entries in pam files. These entries must be carefully
defined to work as expected. In order to avoid any errors when manually editing these files,
it is recommended to use the appropriate tools, such as authselect or authconfig,
depending on the OS version.
If unlock_time is set to 0, manual intervention by an administrator is required
to unlock a user. This should be done using the faillock tool. |
| Rationale | By limiting the number of failed logon attempts the risk of unauthorized system
access via user password guessing, otherwise known as brute-forcing, is reduced.
Limits are imposed by locking the account. |
| Warnings | warning
If the system supports the new /etc/security/faillock.conf file but the
pam_faillock.so parameters are defined directly in /etc/pam.d/system-auth and
/etc/pam.d/password-auth, the remediation will migrate the unlock_time parameter
to /etc/security/faillock.conf to ensure compatibility with authselect tool.
The parameters deny and fail_interval, if used, also have to be migrated
by their respective remediation.warning
If the system relies on authselect tool to manage PAM settings, the remediation
will also use authselect tool. However, if any manual modification was made in
PAM files, the authselect integrity check will fail and the remediation will be
aborted in order to preserve intentional changes. In this case, an informative message will
be shown in the remediation report.
If the system supports the /etc/security/faillock.conf file, the pam_faillock
parameters should be defined in faillock.conf file. |
No more than one pam_unix.so is expected in auth section of system-auth oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_system_pam_unix_auth:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_system_pam_unix_auth:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^[\s]*auth\N+pam_unix\.so | ^/etc/pam.d/system-auth$ | 1 |
No more than one pam_unix.so is expected in auth section of password-auth oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_password_pam_unix_auth:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_password_pam_unix_auth:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^[\s]*auth\N+pam_unix\.so | ^/etc/pam.d/password-auth$ | 1 |
One and only one occurrence is expected in auth section of system-auth oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_system_pam_faillock_auth:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/pam.d/system-auth | auth required pam_faillock.so preauth silent auth sufficient pam_unix.so nullok try_first_pass auth required pam_faillock.so authfail |
One and only one occurrence is expected in auth section of system-auth oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_system_pam_faillock_account:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/pam.d/system-auth | account required pam_faillock.so account required pam_unix.so |
One and only one occurrence is expected in auth section of password-auth oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_password_pam_faillock_auth:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/pam.d/password-auth | auth required pam_faillock.so preauth silent auth sufficient pam_unix.so nullok try_first_pass auth required pam_faillock.so authfail |
One and only one occurrence is expected in auth section of password-auth oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_password_pam_faillock_account:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/pam.d/password-auth | account required pam_faillock.so account required pam_unix.so |
Check the expected unlock_time value in system-auth oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_system:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_system:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance | ||
|---|---|---|---|---|
| ^/etc/pam.d/system-auth$ | 1 |
Check the expected unlock_time value in password-auth oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_password:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_password:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance | ||
|---|---|---|---|---|
| ^/etc/pam.d/password-auth$ | 1 |
Check the absence of unlock_time parameter in /etc/security/faillock.conf oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_parameter_no_faillock_conf:tst:1 false
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/security/faillock.conf | unlock_time = 900 |
Check the absence of unlock_time parameter in system-auth oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_parameter_no_pamd_system:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_system:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*unlock_time=([0-9]+) | ^/etc/pam.d/system-auth$ | 1 |
Check the absence of unlock_time parameter in password-auth oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_parameter_no_pamd_password:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_password:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*unlock_time=([0-9]+) | ^/etc/pam.d/password-auth$ | 1 |
Check the expected unlock_time value in in /etc/security/faillock.conf oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_parameter_faillock_conf:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/security/faillock.conf | unlock_time = 900 |
Ensure PAM Enforces Password Requirements - Minimum Different Categories
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_pam_minclass:def:1 |
| Time | 2022-11-07T15:05:07+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82046-4 References: 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000195, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, SRG-OS-000072-GPOS-00040, RHEL-08-020160, 5.5.1, SV-230362r833323_rule |
| Description | The pam_pwquality module's minclass parameter controls
requirements for usage of different character classes, or types, of character
that must exist in a password before it is considered valid. For example,
setting this value to three (3) requires that any password must have characters
from at least three different categories in order to be approved. The default
value is zero (0), meaning there are no required classes. There are four
categories available:
* Upper-case characters * Lower-case characters * Digits * Special characters (for example, punctuation)Modify the minclass setting in /etc/security/pwquality.conf entry
to require 4
differing categories of characters when changing passwords. |
| Rationale | Use of a complex password helps to increase the time and resources required to compromise the password.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts
at guessing and brute-force attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Requiring a minimum number of character categories makes password guessing attacks more difficult by ensuring a larger search space. |
check the configuration of /etc/pam.d/system-auth oval:ssg-test_password_pam_pwquality:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/pam.d/system-auth | password requisite pam_pwquality.so try_first_pass |
check the configuration of /etc/security/pwquality.conf oval:ssg-test_password_pam_pwquality_minclass:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/security/pwquality.conf | minclass = 4 |
Ensure PAM Enforces Password Requirements - Minimum Length
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_pam_minlen:def:1 |
| Time | 2022-11-07T15:05:07+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80656-2 References: BP28(R18), 1, 12, 15, 16, 5, 5.6.2.1.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000205, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, FMT_SMF_EXT.1, Req-8.2.3, SRG-OS-000078-GPOS-00046, SRG-OS-000072-VMM-000390, SRG-OS-000078-VMM-000450, RHEL-08-020230, 5.5.1, SV-230369r833327_rule |
| Description | The pam_pwquality module's minlen parameter controls requirements for
minimum characters required in a password. Add minlen=14
after pam_pwquality to set minimum password length requirements. |
| Rationale | The shorter the password, the lower the number of possible combinations
that need to be tested before the password is compromised.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password. |
check the configuration of /etc/pam.d/system-auth oval:ssg-test_password_pam_pwquality:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/pam.d/system-auth | password requisite pam_pwquality.so try_first_pass |
check the configuration of /etc/security/pwquality.conf oval:ssg-test_password_pam_pwquality_minlen:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/security/pwquality.conf | minlen = 14 |
Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_retry |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_pam_retry:def:1 |
| Time | 2022-11-07T15:05:07+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80664-6 References: 1, 11, 12, 15, 16, 3, 5, 9, 5.5.3, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000192, CCI-000366, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, PR.IP-1, FMT_MOF_EXT.1, SRG-OS-000069-GPOS-00037, SRG-OS-000480-GPOS-00227, RHEL-08-020104, 5.4.1, SV-251716r833387_rule |
| Description | To configure the number of retry prompts that are permitted per-session:
Edit the /etc/security/pwquality.conf to include
retry=3, or a lower value if site
policy is more restrictive. The DoD requirement is a maximum of 3 prompts
per session. |
| Rationale | Setting the password retry prompts that are permitted on a per-session basis to a low value
requires some software, such as SSH, to re-connect. This can slow down and
draw additional attention to some types of password-guessing attacks. Note that this
is different from account lockout, which is provided by the pam_faillock module. |
check the configuration of /etc/pam.d/password-auth oval:ssg-test_password_pam_pwquality_retry_password_auth:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_password_pam_pwquality_retry_password_auth:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/pam.d/password-auth | ^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_pwquality\.so.*retry=([0-9]*).*$ | 1 |
check the configuration of /etc/pam.d/system-auth oval:ssg-test_password_pam_pwquality_retry_system_auth:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_password_pam_pwquality_retry_system_auth:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/pam.d/system-auth | ^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_pwquality\.so.*retry=([0-9]*).*$ | 1 |
check the configuration of /etc/pam.d/password-auth oval:ssg-test_password_pam_pwquality_retry_password_auth_not_set:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_password_pam_pwquality_retry_password_auth:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/pam.d/password-auth | ^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_pwquality\.so.*retry=([0-9]*).*$ | 1 |
check the configuration of /etc/pam.d/system-auth oval:ssg-test_password_pam_pwquality_retry_system_auth_not_set:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_password_pam_pwquality_retry_system_auth:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/pam.d/system-auth | ^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_pwquality\.so.*retry=([0-9]*).*$ | 1 |
check the configuration of /etc/security/pwquality.conf oval:ssg-test_password_pam_pwquality_retry_pwquality_conf:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/security/pwquality.conf | retry = 3 |
Set PAM''s Password Hashing Algorithm - password-auth
| Rule ID | xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_passwordauth |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-set_password_hashing_algorithm_passwordauth:def:1 |
| Time | 2022-11-07T15:05:07+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-85945-4 References: BP28(R32), 1, 12, 15, 16, 5, 5.6.2.2, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.13.11, CCI-000196, CCI-000803, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0418, 1055, 1402, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(c), CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.1, SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061, SRG-OS-000480-VMM-002000, RHEL-08-010160, 5.4.4, SV-230237r809276_rule |
| Description | The PAM system service can be configured to only store encrypted
representations of passwords. In
/etc/pam.d/password-auth,
the
password section of the file controls which PAM modules execute
during a password change. Set the pam_unix.so module in the
password section to include the argument sha512, as shown
below:
password sufficient pam_unix.so sha512 other arguments... This will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is the default. |
| Rationale | Passwords need to be protected at all times, and encryption is the standard
method for protecting passwords. If passwords are not encrypted, they can
be plainly read (i.e., clear text) and easily compromised. Passwords that
are encrypted with a weak algorithm are no more protected than if they are
kepy in plain text.
This setting ensures user and group account administration utilities are configured to store only encrypted representations of passwords. Additionally, the crypt_style configuration option ensures the use
of a strong hashing algorithm that makes password cracking attacks more
difficult. |
check /etc/pam.d/password-auth for correct settings oval:ssg-test_pam_unix_passwordauth_sha512:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/pam.d/password-auth | password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok |
Set PAM''s Password Hashing Algorithm
| Rule ID | xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-set_password_hashing_algorithm_systemauth:def:1 |
| Time | 2022-11-07T15:05:07+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80893-1 References: BP28(R32), 1, 12, 15, 16, 5, 5.6.2.2, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.13.11, CCI-000196, CCI-000803, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0418, 1055, 1402, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(c), CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.1, SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061, SRG-OS-000480-VMM-002000, RHEL-08-010159, 5.4.4, SV-244524r809331_rule |
| Description | The PAM system service can be configured to only store encrypted
representations of passwords. In "/etc/pam.d/system-auth", the
password section of the file controls which PAM modules execute
during a password change. Set the pam_unix.so module in the
password section to include the argument sha512, as shown
below:
password sufficient pam_unix.so sha512 other arguments... This will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is the default. |
| Rationale | Passwords need to be protected at all times, and encryption is the standard
method for protecting passwords. If passwords are not encrypted, they can
be plainly read (i.e., clear text) and easily compromised. Passwords that
are encrypted with a weak algorithm are no more protected than if they are
kepy in plain text.
This setting ensures user and group account administration utilities are configured to store only encrypted representations of passwords. Additionally, the crypt_style configuration option ensures the use
of a strong hashing algorithm that makes password cracking attacks more
difficult. |
check /etc/pam.d/system-auth for correct settings oval:ssg-test_pam_unix_sha512:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/pam.d/system-auth | password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok |
Require Authentication for Emergency Systemd Target
| Rule ID | xccdf_org.ssgproject.content_rule_require_emergency_target_auth |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-require_emergency_target_auth:def:1 |
| Time | 2022-11-07T15:05:07+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82186-8 References: 1, 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10, 3.1.1, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, IA-2, AC-3, CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.PT-3, FIA_UAU.1, SRG-OS-000080-GPOS-00048, RHEL-08-010152, 1.4.3, SV-244523r743818_rule |
| Description | Emergency mode is intended as a system recovery
method, providing a single user root access to the system
during a failed boot sequence.
By default, Emergency mode is protected by requiring a password and is set in /usr/lib/systemd/system/emergency.service. |
| Rationale | This prevents attackers with physical access from trivially bypassing security
on the machine and gaining root access. Such accesses are further prevented
by configuring the bootloader password. |
Tests that /usr/lib/systemd/systemd-sulogin-shell was not removed from the default systemd emergency.service to ensure that a password must be entered to access single user mode oval:ssg-test_require_emergency_service:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /usr/lib/systemd/system/emergency.service | ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency |
Tests that the systemd emergency.service is in the emergency.target oval:ssg-test_require_emergency_service_emergency_target:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /usr/lib/systemd/system/emergency.target | Requires=emergency.service |
look for emergency.target in /etc/systemd/system oval:ssg-test_no_custom_emergency_target:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_no_custom_emergency_target:obj:1 of type file_object
| Behaviors | Path | Filename |
|---|---|---|
| no value | /etc/systemd/system | ^emergency.target$ |
look for emergency.service in /etc/systemd/system oval:ssg-test_no_custom_emergency_service:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_no_custom_emergency_service:obj:1 of type file_object
| Behaviors | Path | Filename |
|---|---|---|
| no value | /etc/systemd/system | ^emergency.service$ |
Require Authentication for Single User Mode
Tests that /usr/lib/systemd/systemd-sulogin-shell was not removed from the default systemd rescue.service to ensure that a password must be entered to access single user mode oval:ssg-test_require_rescue_service:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /usr/lib/systemd/system/rescue.service | ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue |
Set Account Expiration Following Inactivity
| Rule ID | xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-account_disable_post_pw_expiration:def:1 |
| Time | 2022-11-07T15:05:07+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80954-1 References: 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, 5.6.2.1.1, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.6, CCI-000017, CCI-000795, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, A.12.4.1, A.12.4.3, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, IA-4(e), AC-2(3), CM-6(a), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, Req-8.1.4, SRG-OS-000118-GPOS-00060, SRG-OS-000003-VMM-000030, SRG-OS-000118-VMM-000590, RHEL-08-020260, 5.6.1.4, SV-230373r627750_rule |
| Description | To specify the number of days after a password expires (which
signifies inactivity) until an account is permanently disabled, add or correct
the following line in /etc/default/useradd:
INACTIVE=30If a password is currently on the verge of expiration, then 30
day(s) remain(s) until the account is automatically
disabled. However, if the password will not expire for another 60 days, then 60
days plus 30 day(s) could
elapse until the account would be automatically disabled. See the
useradd man page for more information. |
| Rationale | Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system.
Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials.
Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. |
the value INACTIVE parameter should be set appropriately in /etc/default/useradd oval:ssg-test_etc_default_useradd_inactive:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/default/useradd | INACTIVE=30 |
Ensure All Accounts on the System Have Unique Names
| Rule ID | xccdf_org.ssgproject.content_rule_account_unique_name |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-account_unique_name:def:1 |
| Time | 2022-11-07T15:05:07+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80674-5 References: 5.5.2, CCI-000770, CCI-000804, Req-8.1.1, 6.2.5 |
| Description | Ensure accounts on the system have unique names.
To ensure all accounts have unique names, run the following command:
$ sudo getent passwd | awk -F: '{ print $1}' | uniq -d
If a username is returned, change or delete the username. |
| Rationale | Unique usernames allow for accountability on the system. |
There should not exist duplicate user name entries in /etc/passwd oval:ssg-test_etc_passwd_no_duplicate_user_names:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-variable_count_of_all_usernames_from_etc_passwd:var:1 | 30 |
Set Password Maximum Age
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_maximum_age_login_defs:def:1 |
| Time | 2022-11-07T15:05:07+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80647-1 References: BP28(R18), 1, 12, 15, 16, 5, 5.6.2.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.6, CCI-000199, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0418, 1055, 1402, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(f), IA-5(1)(d), CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.4, SRG-OS-000076-GPOS-00044, RHEL-08-020200, 5.6.1.1, SV-230366r646878_rule |
| Description | To specify password maximum age for new accounts,
edit the file /etc/login.defs
and add or correct the following line:
PASS_MAX_DAYS 365A value of 180 days is sufficient for many environments. The DoD requirement is 60. The profile requirement is 365. |
| Rationale | Any password, no matter how complex, can eventually be cracked. Therefore, passwords
need to be changed periodically. If the operating system does not limit the lifetime
of passwords and force users to change their passwords, there is the risk that the
operating system passwords could be compromised.
Setting the password maximum age ensures users are required to periodically change their passwords. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise. |
The value of PASS_MAX_DAYS should be set appropriately in /etc/login.defs oval:ssg-test_pass_max_days:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-variable_last_pass_max_days_instance_value:var:1 | 365 |
Set Password Minimum Age
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_minimum_age_login_defs:def:1 |
| Time | 2022-11-07T15:05:07+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80648-9 References: 1, 12, 15, 16, 5, 5.6.2.1.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.8, CCI-000198, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0418, 1055, 1402, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(f), IA-5(1)(d), CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, SRG-OS-000075-GPOS-00043, RHEL-08-020190, 5.6.1.2, SV-230365r627750_rule |
| Description | To specify password minimum age for new accounts,
edit the file /etc/login.defs
and add or correct the following line:
PASS_MIN_DAYS 7A value of 1 day is considered sufficient for many environments. The DoD requirement is 1. The profile requirement is 7. |
| Rationale | Enforcing a minimum password lifetime helps to prevent repeated password
changes to defeat the password reuse or history enforcement requirement. If
users are allowed to immediately and continually change their password,
then the password could be repeatedly changed in a short period of time to
defeat the organization's policy regarding password reuse.
Setting the minimum password age protects against users cycling back to a favorite password after satisfying the password reuse requirement. |
The value of PASS_MIN_DAYS should be set appropriately in /etc/login.defs oval:ssg-test_pass_min_days:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-variable_last_pass_min_days_instance_value:var:1 | 7 |
Set Existing Passwords Maximum Age
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_set_max_life_existing:def:1 |
| Time | 2022-11-07T15:05:07+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82473-0 References: CCI-000199, IA-5(f), IA-5(1)(d), CM-6(a), SRG-OS-000076-GPOS-00044, SRG-OS-000076-VMM-000430, RHEL-08-020210, 5.6.1.1, SV-230367r627750_rule |
| Description | Configure non-compliant accounts to enforce a 365-day maximum password lifetime
restriction by running the following command:
$ sudo chage -M 365 USER |
| Rationale | Any password, no matter how complex, can eventually be cracked. Therefore,
passwords need to be changed periodically. If the operating system does
not limit the lifetime of passwords and force users to change their
passwords, there is the risk that the operating system passwords could be
compromised. |
Password maximum lifetime for existing accounts is at least the minimum. oval:ssg-test_password_max_life_existing:tst:1 true
Following items have been found on the system:
| Username | Password | Chg lst | Chg allow | Chg req | Exp warn | Exp inact | Exp date | Flag | Encrypt method |
|---|---|---|---|---|---|---|---|---|---|
| games | 18367 | 0 | 365 | 7 | -1 | -1 | 18446744073709551615 | DES | |
| operator | 18367 | 0 | 365 | 7 | -1 | -1 | 18446744073709551615 | DES | |
| daemon | 18367 | 0 | 365 | 7 | -1 | -1 | 18446744073709551615 | DES | |
| libstoragemgmt | 19051 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| clevis | 19051 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| unbound | 19051 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| setroubleshoot | 19051 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| cockpit-ws | 19051 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| cockpit-wsinstance | 19051 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| dbus | 19051 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| sync | 18367 | 0 | 365 | 7 | -1 | -1 | 18446744073709551615 | DES | |
| root | 14600 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| nobody | 18367 | 0 | 365 | 7 | -1 | -1 | 18446744073709551615 | DES | |
| ftp | 18367 | 0 | 365 | 7 | -1 | -1 | 18446744073709551615 | DES | |
| systemd-coredump | 19051 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| systemd-resolve | 19051 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| tss | 19051 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| polkitd | 19051 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| bin | 18367 | 0 | 365 | 7 | -1 | -1 | 18446744073709551615 | DES | |
| halt | 18367 | 0 | 365 | 7 | -1 | -1 | 18446744073709551615 | DES | |
| adm | 18367 | 0 | 365 | 7 | -1 | -1 | 18446744073709551615 | DES | |
| 18367 | 0 | 365 | 7 | -1 | -1 | 18446744073709551615 | DES | ||
| shutdown | 18367 | 0 | 365 | 7 | -1 | -1 | 18446744073709551615 | DES | |
| lp | 18367 | 0 | 365 | 7 | -1 | -1 | 18446744073709551615 | DES | |
| sssd | 19051 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| chrony | 19051 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| sshd | 19051 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| rngd | 19051 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| tcpdump | 19051 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| azureuser | 19303 | 0 | 365 | 7 | -1 | -1 | 18446744073709551615 | DES |
Password maximum life entry is at least a defined minimum oval:ssg-test_password_max_life_existing_minimum:tst:1 true
Following items have been found on the system:
| Username | Password | Chg lst | Chg allow | Chg req | Exp warn | Exp inact | Exp date | Flag | Encrypt method |
|---|---|---|---|---|---|---|---|---|---|
| games | 18367 | 0 | 365 | 7 | -1 | -1 | 18446744073709551615 | DES | |
| operator | 18367 | 0 | 365 | 7 | -1 | -1 | 18446744073709551615 | DES | |
| daemon | 18367 | 0 | 365 | 7 | -1 | -1 | 18446744073709551615 | DES | |
| libstoragemgmt | 19051 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| clevis | 19051 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| unbound | 19051 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| setroubleshoot | 19051 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| cockpit-ws | 19051 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| cockpit-wsinstance | 19051 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| dbus | 19051 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| sync | 18367 | 0 | 365 | 7 | -1 | -1 | 18446744073709551615 | DES | |
| root | 14600 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| nobody | 18367 | 0 | 365 | 7 | -1 | -1 | 18446744073709551615 | DES | |
| ftp | 18367 | 0 | 365 | 7 | -1 | -1 | 18446744073709551615 | DES | |
| systemd-coredump | 19051 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| systemd-resolve | 19051 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| tss | 19051 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| polkitd | 19051 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| bin | 18367 | 0 | 365 | 7 | -1 | -1 | 18446744073709551615 | DES | |
| halt | 18367 | 0 | 365 | 7 | -1 | -1 | 18446744073709551615 | DES | |
| adm | 18367 | 0 | 365 | 7 | -1 | -1 | 18446744073709551615 | DES | |
| 18367 | 0 | 365 | 7 | -1 | -1 | 18446744073709551615 | DES | ||
| shutdown | 18367 | 0 | 365 | 7 | -1 | -1 | 18446744073709551615 | DES | |
| lp | 18367 | 0 | 365 | 7 | -1 | -1 | 18446744073709551615 | DES | |
| sssd | 19051 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| chrony | 19051 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| sshd | 19051 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| rngd | 19051 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| tcpdump | 19051 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| azureuser | 19303 | 0 | 365 | 7 | -1 | -1 | 18446744073709551615 | DES |
Set Existing Passwords Minimum Age
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_set_min_life_existing |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_set_min_life_existing:def:1 |
| Time | 2022-11-07T15:05:07+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82472-2 References: CCI-000198, IA-5(f), IA-5(1)(d), CM-6(a), SRG-OS-000075-GPOS-00043, SRG-OS-000075-VMM000420, RHEL-08-020180, 5.6.1.2, SV-230364r627750_rule |
| Description | Configure non-compliant accounts to enforce a 24 hours/1 day minimum password
lifetime by running the following command:
$ sudo chage -m 1 USER |
| Rationale | Enforcing a minimum password lifetime helps to prevent repeated password
changes to defeat the password reuse or history enforcement requirement. If
users are allowed to immediately and continually change their password, the
password could be repeatedly changed in a short period of time to defeat the
organization's policy regarding password reuse. |
Password minimum lifetime for existing accounts is at least what is defined by policy. oval:ssg-test_password_min_life_existing:tst:1 false
Following items have been found on the system:
| Username | Password | Chg lst | Chg allow | Chg req | Exp warn | Exp inact | Exp date | Flag | Encrypt method |
|---|---|---|---|---|---|---|---|---|---|
| games | 18367 | 0 | 365 | 7 | -1 | -1 | 18446744073709551615 | DES | |
| operator | 18367 | 0 | 365 | 7 | -1 | -1 | 18446744073709551615 | DES | |
| daemon | 18367 | 0 | 365 | 7 | -1 | -1 | 18446744073709551615 | DES | |
| libstoragemgmt | 19051 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| clevis | 19051 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| unbound | 19051 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| setroubleshoot | 19051 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| cockpit-ws | 19051 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| cockpit-wsinstance | 19051 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| dbus | 19051 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| sync | 18367 | 0 | 365 | 7 | -1 | -1 | 18446744073709551615 | DES | |
| root | 14600 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| nobody | 18367 | 0 | 365 | 7 | -1 | -1 | 18446744073709551615 | DES | |
| ftp | 18367 | 0 | 365 | 7 | -1 | -1 | 18446744073709551615 | DES | |
| systemd-coredump | 19051 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| systemd-resolve | 19051 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| tss | 19051 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| polkitd | 19051 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| bin | 18367 | 0 | 365 | 7 | -1 | -1 | 18446744073709551615 | DES | |
| halt | 18367 | 0 | 365 | 7 | -1 | -1 | 18446744073709551615 | DES | |
| adm | 18367 | 0 | 365 | 7 | -1 | -1 | 18446744073709551615 | DES | |
| 18367 | 0 | 365 | 7 | -1 | -1 | 18446744073709551615 | DES | ||
| shutdown | 18367 | 0 | 365 | 7 | -1 | -1 | 18446744073709551615 | DES | |
| lp | 18367 | 0 | 365 | 7 | -1 | -1 | 18446744073709551615 | DES | |
| sssd | 19051 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| chrony | 19051 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| sshd | 19051 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| rngd | 19051 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| tcpdump | 19051 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| azureuser | 19303 | 0 | 365 | 7 | -1 | -1 | 18446744073709551615 | DES |
Password minimum life entry is at mosta defined maximum oval:ssg-test_password_min_life_existing_maximum:tst:1 true
Following items have been found on the system:
| Username | Password | Chg lst | Chg allow | Chg req | Exp warn | Exp inact | Exp date | Flag | Encrypt method |
|---|---|---|---|---|---|---|---|---|---|
| games | 18367 | 0 | 365 | 7 | -1 | -1 | 18446744073709551615 | DES | |
| operator | 18367 | 0 | 365 | 7 | -1 | -1 | 18446744073709551615 | DES | |
| daemon | 18367 | 0 | 365 | 7 | -1 | -1 | 18446744073709551615 | DES | |
| libstoragemgmt | 19051 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| clevis | 19051 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| unbound | 19051 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| setroubleshoot | 19051 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| cockpit-ws | 19051 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| cockpit-wsinstance | 19051 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| dbus | 19051 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| sync | 18367 | 0 | 365 | 7 | -1 | -1 | 18446744073709551615 | DES | |
| root | 14600 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| nobody | 18367 | 0 | 365 | 7 | -1 | -1 | 18446744073709551615 | DES | |
| ftp | 18367 | 0 | 365 | 7 | -1 | -1 | 18446744073709551615 | DES | |
| systemd-coredump | 19051 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| systemd-resolve | 19051 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| tss | 19051 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| polkitd | 19051 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| bin | 18367 | 0 | 365 | 7 | -1 | -1 | 18446744073709551615 | DES | |
| halt | 18367 | 0 | 365 | 7 | -1 | -1 | 18446744073709551615 | DES | |
| adm | 18367 | 0 | 365 | 7 | -1 | -1 | 18446744073709551615 | DES | |
| 18367 | 0 | 365 | 7 | -1 | -1 | 18446744073709551615 | DES | ||
| shutdown | 18367 | 0 | 365 | 7 | -1 | -1 | 18446744073709551615 | DES | |
| lp | 18367 | 0 | 365 | 7 | -1 | -1 | 18446744073709551615 | DES | |
| sssd | 19051 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| chrony | 19051 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| sshd | 19051 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| rngd | 19051 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| tcpdump | 19051 | -1 | 365 | -1 | -1 | -1 | 18446744073709551615 | DES | |
| azureuser | 19303 | 0 | 365 | 7 | -1 | -1 | 18446744073709551615 | DES |
Set Password Warning Age
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_warn_age_login_defs |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_warn_age_login_defs:def:1 |
| Time | 2022-11-07T15:05:07+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80671-1 References: 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.8, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, 0418, 1055, 1402, A.12.4.1, A.12.4.3, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, IA-5(f), IA-5(1)(d), CM-6(a), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, 5.6.1.3 |
| Description | To specify how many days prior to password
expiration that a warning will be issued to users,
edit the file /etc/login.defs and add or correct
the following line:
PASS_WARN_AGE 7The DoD requirement is 7. The profile requirement is 7. |
| Rationale | Setting the password warning age enables users to
make the change at a practical time. |
The value of PASS_WARN_AGE should be set appropriately in /etc/login.defs oval:ssg-test_pass_warn_age:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-variable_last_pass_warn_age_instance_value:var:1 | 7 |
All GIDs referenced in /etc/passwd must be defined in /etc/group
| Rule ID | xccdf_org.ssgproject.content_rule_gid_passwd_group_same |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-gid_passwd_group_same:def:1 |
| Time | 2022-11-07T15:05:07+00:00 |
| Severity | low |
| Identifiers and References | Identifiers: CCE-80822-0 References: 1, 12, 15, 16, 5, 5.5.2, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000764, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, IA-2, CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.5.a, SRG-OS-000104-GPOS-00051, 6.2.2 |
| Description | Add a group to the system for each GID referenced without a corresponding group. |
| Rationale | If a user is assigned the Group Identifier (GID) of a group not existing on the system, and a group
with the Group Identifier (GID) is subsequently created, the user may have unintended rights to
any files associated with the group. |
Verify all GIDs referenced in /etc/passwd are defined in /etc/group oval:ssg-test_gid_passwd_group_same:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/passwd | root:x:0:0: |
| /etc/passwd | bin:x:1:1: |
| /etc/passwd | daemon:x:2:2: |
| /etc/passwd | adm:x:3:4: |
| /etc/passwd | lp:x:4:7: |
| /etc/passwd | sync:x:5:0: |
| /etc/passwd | shutdown:x:6:0: |
| /etc/passwd | halt:x:7:0: |
| /etc/passwd | mail:x:8:12: |
| /etc/passwd | operator:x:11:0: |
| /etc/passwd | games:x:12:100: |
| /etc/passwd | ftp:x:14:50: |
| /etc/passwd | nobody:x:65534:65534: |
| /etc/passwd | dbus:x:81:81: |
| /etc/passwd | systemd-coredump:x:999:997: |
| /etc/passwd | systemd-resolve:x:193:193: |
| /etc/passwd | tss:x:59:59: |
| /etc/passwd | polkitd:x:998:996: |
| /etc/passwd | libstoragemgmt:x:997:995: |
| /etc/passwd | clevis:x:996:992: |
| /etc/passwd | unbound:x:995:991: |
| /etc/passwd | setroubleshoot:x:994:990: |
| /etc/passwd | cockpit-ws:x:993:989: |
| /etc/passwd | cockpit-wsinstance:x:992:988: |
| /etc/passwd | sssd:x:991:987: |
| /etc/passwd | chrony:x:990:986: |
| /etc/passwd | sshd:x:74:74: |
| /etc/passwd | rngd:x:989:985: |
| /etc/passwd | tcpdump:x:72:72: |
| /etc/passwd | azureuser:x:1000:1000: |
Ensure There Are No Accounts With Blank or Null Passwords
| Rule ID | xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-no_empty_passwords_etc_shadow:def:1 |
| Time | 2022-11-07T15:05:07+00:00 |
| Severity | high |
| Identifiers and References | Identifiers: CCE-85953-8 References: CCI-000366, CM-6(b), CM-6.1(iv), SRG-OS-000480-GPOS-00227, 6.2.1 |
| Description | Check the "/etc/shadow" file for blank passwords with the
following command:
$ sudo awk -F: '!$2 {print $1}' /etc/shadow
If the command returns any results, this is a finding.
Configure all accounts on the system to have a password or lock
the account with the following commands:
Perform a password reset:
$ sudo passwd [username]Lock an account: $ sudo passwd -l [username] |
| Rationale | If an account has an empty password, anyone could log in and
run commands with the privileges of that account. Accounts with
empty passwords should never be used in operational environments. |
| Warnings | warning
Note that this rule is not applicable for systems running within a container. Having user with empty password within a container is not considered a risk, because it should not be possible to directly login into a container anyway. |
make sure there aren't blank or null passwords in /etc/shadow oval:ssg-test_no_empty_passwords_etc_shadow:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_no_empty_passwords_etc_shadow:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/shadow | ^[^:]+::.*$ | 1 |
Verify No netrc Files Exist
| Rule ID | xccdf_org.ssgproject.content_rule_no_netrc_files |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-no_netrc_files:def:1 |
| Time | 2022-11-07T15:05:07+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83444-0 References: 1, 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10, CCI-000196, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-003-8 R1.3, CIP-003-8 R3, CIP-003-8 R3.1, CIP-003-8 R3.2, CIP-003-8 R3.3, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, IA-5(h), IA-5(1)(c), CM-6(a), IA-5(7), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.PT-3, 6.2.13, 6.2.15 |
| Description | The .netrc files contain login information
used to auto-login into FTP servers and reside in the user's home
directory. These files may contain unencrypted passwords to
remote FTP servers making them susceptible to access by unauthorized
users and should not be used. Any .netrc files should be removed. |
| Rationale | Unencrypted passwords for remote FTP servers may be stored in .netrc
files. |
look for .netrc in /home oval:ssg-test_no_netrc_files_home:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_no_netrc_files_home:obj:1 of type file_object
| Behaviors | Path | Filename |
|---|---|---|
| no value | /home | ^\.netrc$ |
Verify Only Root Has UID 0
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_no_uid_except_zero:def:1 |
| Time | 2022-11-07T15:05:07+00:00 |
| Severity | high |
| Identifiers and References | Identifiers: CCE-80649-7 References: 1, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.10, 3.1.1, 3.1.5, CCI-000366, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, IA-2, AC-6(5), IA-4(b), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5, SRG-OS-000480-GPOS-00227, RHEL-08-040200, 6.2.8, SV-230534r627750_rule |
| Description | If any account other than root has a UID of 0, this misconfiguration should
be investigated and the accounts other than root should be removed or have
their UID changed.
If the account is associated with system commands or applications the UID should be changed to one greater than "0" but less than "1000." Otherwise assign a UID greater than "1000" that has not already been assigned. |
| Rationale | An account has root authority if it has a UID of 0. Multiple accounts
with a UID of 0 afford more opportunity for potential intruders to
guess a password for a privileged account. Proper configuration of
sudo is recommended to afford multiple system administrators
access to root privileges in an accountable manner. |
test that there are no accounts with UID 0 except root in the /etc/passwd file oval:ssg-test_accounts_no_uid_except_root:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_no_uid_except_root:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/passwd | ^(?!root:)[^:]*:[^:]*:0 | 1 |
Verify Root Has A Primary GID 0
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_root_gid_zero |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_root_gid_zero:def:1 |
| Time | 2022-11-07T15:05:07+00:00 |
| Severity | high |
| Identifiers and References | Identifiers: CCE-86297-9 References: 5.6.4 |
| Description | The root user should have a primary group of 0. |
| Rationale | To help ensure that root-owned files are not inadvertently exposed to other users. |
test that there are no accounts with UID 0 except root in the /etc/passwd file oval:ssg-test_accounts_root_gid_zero:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/passwd | root:x:0:0:root:/root:/bin/bash |
Ensure that System Accounts Do Not Run a Shell Upon Login
| Rule ID | xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-no_shelllogin_for_systemaccounts:def:1 |
| Time | 2022-11-07T15:05:07+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80843-6 References: 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS06.03, CCI-000366, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, 1491, A.12.4.1, A.12.4.3, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, AC-6, CM-6(a), CM-6(b), CM-6.1(iv), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, SRG-OS-000480-GPOS-00227, 5.6.2 |
| Description | Some accounts are not associated with a human user of the system, and exist to
perform some administrative function. Should an attacker be able to log into
these accounts, they should not be granted access to a shell.
The login shell for each local account is stored in the last field of each line in /etc/passwd. System accounts are those user accounts with a user ID
less than UID_MIN, where value of UID_MIN directive is set in
/etc/login.defs configuration file. In the default configuration UID_MIN is set
to 1000, thus system accounts are those user accounts with a user ID less than
1000. The user ID is stored in the third field. If any system account
SYSACCT (other than root) has a login shell, disable it with the
command: $ sudo usermod -s /sbin/nologin SYSACCT |
| Rationale | Ensuring shells are not given to system accounts upon login makes it more
difficult for attackers to make use of system accounts. |
| Warnings | warning
Do not perform the steps in this section on the root account. Doing so might
cause the system to become inaccessible. |
SYS_UID_MIN not defined in /etc/login.defs oval:ssg-test_sys_uid_min_not_defined:tst:1 false
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/login.defs | # # Please note that the parameters in this configuration file control the # behavior of the tools from the shadow-utils component. None of these # tools uses the PAM mechanism, and the utilities that use PAM (such as the # passwd command) should therefore be configured elsewhere. Refer to # /etc/pam.d/system-auth for more information. # # *REQUIRED* # Directory where mailboxes reside, _or_ name of file, relative to the # home directory. If you _do_ define both, MAIL_DIR takes precedence. # QMAIL_DIR is for Qmail # #QMAIL_DIR Maildir MAIL_DIR /var/spool/mail #MAIL_FILE .mail # Default initial "umask" value used by login(1) on non-PAM enabled systems. # Default "umask" value for pam_umask(8) on PAM enabled systems. # UMASK is also used by useradd(8) and newusers(8) to set the mode for new # home directories if HOME_MODE is not set. # 022 is the default value, but 027, or even 077, could be considered # for increased privacy. There is no One True Answer here: each sysadmin # must make up their mind. UMASK 027 027 027 027 022 # HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new # home directories. # If HOME_MODE is not set, the value of UMASK is used to create the mode. HOME_MODE 0700 # Password aging controls: # # PASS_MAX_DAYS Maximum number of days a password may be used. # PASS_MIN_DAYS Minimum number of days allowed between password changes. # PASS_MIN_LEN Minimum acceptable password length. # PASS_WARN_AGE Number of days warning given before a password expires. # PASS_MAX_DAYS 365 PASS_MIN_DAYS 7 PASS_MIN_LEN 5 PASS_WARN_AGE 7 # # Min/max values for automatic uid selection in useradd # UID_MIN 1000 UID_MAX 60000 # System accounts SYS_UID_MIN 201 |
SYS_UID_MAX not defined in /etc/login.defs oval:ssg-test_sys_uid_max_not_defined:tst:1 false
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/login.defs | # # Please note that the parameters in this configuration file control the # behavior of the tools from the shadow-utils component. None of these # tools uses the PAM mechanism, and the utilities that use PAM (such as the # passwd command) should therefore be configured elsewhere. Refer to # /etc/pam.d/system-auth for more information. # # *REQUIRED* # Directory where mailboxes reside, _or_ name of file, relative to the # home directory. If you _do_ define both, MAIL_DIR takes precedence. # QMAIL_DIR is for Qmail # #QMAIL_DIR Maildir MAIL_DIR /var/spool/mail #MAIL_FILE .mail # Default initial "umask" value used by login(1) on non-PAM enabled systems. # Default "umask" value for pam_umask(8) on PAM enabled systems. # UMASK is also used by useradd(8) and newusers(8) to set the mode for new # home directories if HOME_MODE is not set. # 022 is the default value, but 027, or even 077, could be considered # for increased privacy. There is no One True Answer here: each sysadmin # must make up their mind. UMASK 027 027 027 027 022 # HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new # home directories. # If HOME_MODE is not set, the value of UMASK is used to create the mode. HOME_MODE 0700 # Password aging controls: # # PASS_MAX_DAYS Maximum number of days a password may be used. # PASS_MIN_DAYS Minimum number of days allowed between password changes. # PASS_MIN_LEN Minimum acceptable password length. # PASS_WARN_AGE Number of days warning given before a password expires. # PASS_MAX_DAYS 365 PASS_MIN_DAYS 7 PASS_MIN_LEN 5 PASS_WARN_AGE 7 # # Min/max values for automatic uid selection in useradd # UID_MIN 1000 UID_MAX 60000 # System accounts SYS_UID_MIN 201 SYS_UID_MAX 999 |
<0, UID_MIN - 1> system UIDs having shell set oval:ssg-test_shell_defined_default_uid_range:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/passwd | azureuser:x:1000:1000:Cloud User:/home/azureuser:/bin/bash |
SYS_UID_MIN not defined in /etc/login.defs oval:ssg-test_sys_uid_min_not_defined:tst:1 false
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/login.defs | # # Please note that the parameters in this configuration file control the # behavior of the tools from the shadow-utils component. None of these # tools uses the PAM mechanism, and the utilities that use PAM (such as the # passwd command) should therefore be configured elsewhere. Refer to # /etc/pam.d/system-auth for more information. # # *REQUIRED* # Directory where mailboxes reside, _or_ name of file, relative to the # home directory. If you _do_ define both, MAIL_DIR takes precedence. # QMAIL_DIR is for Qmail # #QMAIL_DIR Maildir MAIL_DIR /var/spool/mail #MAIL_FILE .mail # Default initial "umask" value used by login(1) on non-PAM enabled systems. # Default "umask" value for pam_umask(8) on PAM enabled systems. # UMASK is also used by useradd(8) and newusers(8) to set the mode for new # home directories if HOME_MODE is not set. # 022 is the default value, but 027, or even 077, could be considered # for increased privacy. There is no One True Answer here: each sysadmin # must make up their mind. UMASK 027 027 027 027 022 # HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new # home directories. # If HOME_MODE is not set, the value of UMASK is used to create the mode. HOME_MODE 0700 # Password aging controls: # # PASS_MAX_DAYS Maximum number of days a password may be used. # PASS_MIN_DAYS Minimum number of days allowed between password changes. # PASS_MIN_LEN Minimum acceptable password length. # PASS_WARN_AGE Number of days warning given before a password expires. # PASS_MAX_DAYS 365 PASS_MIN_DAYS 7 PASS_MIN_LEN 5 PASS_WARN_AGE 7 # # Min/max values for automatic uid selection in useradd # UID_MIN 1000 UID_MAX 60000 # System accounts SYS_UID_MIN 201 |
SYS_UID_MAX not defined in /etc/login.defs oval:ssg-test_sys_uid_max_not_defined:tst:1 false
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/login.defs | # # Please note that the parameters in this configuration file control the # behavior of the tools from the shadow-utils component. None of these # tools uses the PAM mechanism, and the utilities that use PAM (such as the # passwd command) should therefore be configured elsewhere. Refer to # /etc/pam.d/system-auth for more information. # # *REQUIRED* # Directory where mailboxes reside, _or_ name of file, relative to the # home directory. If you _do_ define both, MAIL_DIR takes precedence. # QMAIL_DIR is for Qmail # #QMAIL_DIR Maildir MAIL_DIR /var/spool/mail #MAIL_FILE .mail # Default initial "umask" value used by login(1) on non-PAM enabled systems. # Default "umask" value for pam_umask(8) on PAM enabled systems. # UMASK is also used by useradd(8) and newusers(8) to set the mode for new # home directories if HOME_MODE is not set. # 022 is the default value, but 027, or even 077, could be considered # for increased privacy. There is no One True Answer here: each sysadmin # must make up their mind. UMASK 027 027 027 027 022 # HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new # home directories. # If HOME_MODE is not set, the value of UMASK is used to create the mode. HOME_MODE 0700 # Password aging controls: # # PASS_MAX_DAYS Maximum number of days a password may be used. # PASS_MIN_DAYS Minimum number of days allowed between password changes. # PASS_MIN_LEN Minimum acceptable password length. # PASS_WARN_AGE Number of days warning given before a password expires. # PASS_MAX_DAYS 365 PASS_MIN_DAYS 7 PASS_MIN_LEN 5 PASS_WARN_AGE 7 # # Min/max values for automatic uid selection in useradd # UID_MIN 1000 UID_MAX 60000 # System accounts SYS_UID_MIN 201 SYS_UID_MAX 999 |
<0, SYS_UID_MIN> system UIDs having shell set oval:ssg-test_shell_defined_reserved_uid_range:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/passwd | azureuser:x:1000:1000:Cloud User:/home/azureuser:/bin/bash |
<SYS_UID_MIN, SYS_UID_MAX> system UIDS having shell set oval:ssg-test_shell_defined_dynalloc_uid_range:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/passwd | azureuser:x:1000:1000:Cloud User:/home/azureuser:/bin/bash |
Enforce usage of pam_wheel for su authentication
| Rule ID | xccdf_org.ssgproject.content_rule_use_pam_wheel_for_su |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-use_pam_wheel_for_su:def:1 |
| Time | 2022-11-07T15:05:07+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83318-6 References: FMT_SMF_EXT.1.1, SRG-OS-000373-GPOS-00156, SRG-OS-000312-GPOS-00123, 5.3.7 |
| Description | To ensure that only users who are members of the wheel group can
run commands with altered privileges through the su command, make
sure that the following line exists in the file /etc/pam.d/su:
auth required pam_wheel.so use_uid |
| Rationale | The su program allows to run commands with a substitute user and
group ID. It is commonly used to run commands as the root user. Limiting
access to such command is considered a good security practice. |
check /etc/pam.d/su for correct setting oval:ssg-test_use_pam_wheel_for_su:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/pam.d/su | auth required pam_wheel.so use_uid |
Ensure All Accounts on the System Have Unique User IDs
| Rule ID | xccdf_org.ssgproject.content_rule_account_unique_id |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-account_unique_id:def:1 |
| Time | 2022-11-07T15:05:07+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-89903-9 References: CCI-000135, CCI-000764, CCI-000804, SRG-OS-000104-GPOS-00051, SRG-OS-000121-GPOS-00062, SRG-OS-000042-GPOS-00020, RHEL-08-020240, 6.2.3, SV-230371r627750_rule |
| Description | Change user IDs (UIDs), or delete accounts, so each has a unique name. |
| Rationale | To assure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and compromise of the system. |
| Warnings | warning
Automatic remediation of this control is not available due to unique requirements of each
system. |
There should not exist duplicate user ids in /etc/passwd oval:ssg-test_etc_passwd_no_duplicate_user_ids:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-variable_count_of_all_uids:var:1 | 30 |
Ensure All Groups on the System Have Unique Group ID
| Rule ID | xccdf_org.ssgproject.content_rule_group_unique_id |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-group_unique_id:def:1 |
| Time | 2022-11-07T15:05:07+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-86201-1 References: CCI-000764, SRG-OS-000104-GPOS-00051, 6.2.4 |
| Description | Change the group name or delete groups, so each has a unique id. |
| Rationale | To assure accountability and prevent unauthenticated access, groups must be identified uniquely to prevent potential misuse and compromise of the system. |
| Warnings | warning
Automatic remediation of this control is not available due to the unique requirements of each system. |
There should not exist duplicate group ids in /etc/passwd oval:ssg-test_etc_group_no_duplicate_group_ids:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-variable_count_of_all_group_ids:var:1 | 50 |
Ensure All Groups on the System Have Unique Group Names
| Rule ID | xccdf_org.ssgproject.content_rule_group_unique_name |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-group_unique_name:def:1 |
| Time | 2022-11-07T15:05:07+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-86328-2 References: 6.2.6 |
| Description | Change the group name or delete groups, so each has a unique name. |
| Rationale | To assure accountability and prevent unauthenticated access, groups must be identified uniquely to prevent potential misuse and compromise of the system. |
| Warnings | warning
Automatic remediation of this control is not available due to the unique requirements of each system. |
There should not exist duplicate group names in /etc/passwd oval:ssg-test_etc_group_no_duplicate_group_names:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-variable_count_of_all_group_names:var:1 | 50 |
Ensure that Root's Path Does Not Include World or Group-Writable Directories
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_root_path_dirs_no_write |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_root_path_dirs_no_write:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80672-9 References: 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, CCI-000366, 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(a), CM-6(a), PR.IP-1, 6.2.7 |
| Description | For each element in root's path, run:
# ls -ld DIRand ensure that write permissions are disabled for group and other. |
| Rationale | Such entries increase the risk that root could
execute code provided by unprivileged users,
and potentially malicious code. |
Check if there aren't directories in root's path having write permission set for group or other oval:ssg-test_accounts_root_path_dirs_no_group_other_write:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_root_path_dirs_no_group_other_write:obj:1 of type file_object
| Path | Filename | Filter | Filter | ||||
|---|---|---|---|---|---|---|---|
| no value | oval:ssg-state_accounts_root_path_dirs_wrong_perms:ste:1 | oval:ssg-state_accounts_root_path_dirs_symlink:ste:1 |
Ensure that Root's Path Does Not Include Relative Paths or Null Directories
| Rule ID | xccdf_org.ssgproject.content_rule_root_path_no_dot |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-root_path_no_dot:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | unknown |
| Identifiers and References | Identifiers: CCE-85914-0 References: 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, CCI-000366, 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(a), CM-6(a), PR.IP-1, 6.2.7 |
| Description | Ensure that none of the directories in root's path is equal to a single
. character, or
that it contains any instances that lead to relative path traversal, such as
.. or beginning a path without the slash (/) character.
Also ensure that there are no "empty" elements in the path, such as in these examples:
PATH=:/bin PATH=/bin: PATH=/bin::/sbinThese empty elements have the same effect as a single . character. |
| Rationale | Including these entries increases the risk that root could
execute code from an untrusted location. |
environment variable PATH starts with : or . oval:ssg-test_env_var_begins:tst:1 true
Following items have been found on the system:
| Pid | Name | Value |
|---|---|---|
| 509566 | PATH | /sbin:/bin:/usr/sbin:/usr/bin |
environment variable PATH doesn't contain : twice in a row oval:ssg-test_env_var_contains_doublecolon:tst:1 true
Following items have been found on the system:
| Pid | Name | Value |
|---|---|---|
| 509566 | PATH | /sbin:/bin:/usr/sbin:/usr/bin |
environment variable PATH doesn't contain . twice in a row oval:ssg-test_env_var_contains_doubleperiod:tst:1 true
Following items have been found on the system:
| Pid | Name | Value |
|---|---|---|
| 509566 | PATH | /sbin:/bin:/usr/sbin:/usr/bin |
environment variable PATH ends with : or . oval:ssg-test_env_var_ends:tst:1 true
Following items have been found on the system:
| Pid | Name | Value |
|---|---|---|
| 509566 | PATH | /sbin:/bin:/usr/sbin:/usr/bin |
environment variable PATH starts with an absolute path / oval:ssg-test_env_var_begins_slash:tst:1 true
Following items have been found on the system:
| Pid | Name | Value |
|---|---|---|
| 509566 | PATH | /sbin:/bin:/usr/sbin:/usr/bin |
environment variable PATH contains relative paths oval:ssg-test_env_var_contains_relative_path:tst:1 true
Following items have been found on the system:
| Pid | Name | Value |
|---|---|---|
| 509566 | PATH | /sbin:/bin:/usr/sbin:/usr/bin |
Ensure the Default Bash Umask is Set Correctly
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_umask_etc_bashrc:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-81036-6 References: BP28(R35), 18, APO13.01, BAI03.01, BAI03.02, BAI03.03, CCI-000366, 4.3.4.3.3, A.14.1.1, A.14.2.1, A.14.2.5, A.6.1.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-6(1), CM-6(a), PR.IP-2, SRG-OS-000480-GPOS-00228, SRG-OS-000480-GPOS-00227, RHEL-08-020353, 5.6.5, SV-230385r792902_rule |
| Description | To ensure the default umask for users of the Bash shell is set properly,
add or correct the umask setting in /etc/bashrc to read
as follows:
umask 027 |
| Rationale | The umask value influences the permissions assigned to files when they are created.
A misconfigured umask value could result in files with excessive permissions that can be read or
written to by unauthorized users. |
Verify the existence of var_accounts_user_umask_as_number variable oval:ssg-test_existence_of_var_accounts_user_umask_as_number_variable:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-var_accounts_user_umask_umask_as_number:var:1 | 23 |
Test the retrieved /etc/bashrc umask value(s) match the var_accounts_user_umask requirement oval:ssg-tst_accounts_umask_etc_bashrc:tst:1 true
Following items have been found on the system:
| Var ref | Value | Value | Value | Value | Value | Value | Value | Value | Value | Value | Value | Value | Value | Value | Value | Value | Value | Value | Value | Value | Value | Value | Value | Value | Value | Value | Value |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| oval:ssg-var_etc_bashrc_umask_as_number:var:1 | 23 | 23 | 23 | 23 | 23 | 23 | 23 | 23 | 23 | 23 | 23 | 23 | 23 | 23 | 23 | 23 | 23 | 23 | 23 | 23 | 23 | 23 | 23 | 23 | 23 | 23 | 23 |
Ensure the Default Umask is Set Correctly in login.defs
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_umask_etc_login_defs:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82888-9 References: BP28(R35), 11, 18, 3, 9, APO13.01, BAI03.01, BAI03.02, BAI03.03, BAI10.01, BAI10.02, BAI10.03, BAI10.05, CCI-000366, 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.1.1, A.14.2.1, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.5, A.6.1.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-6(1), CM-6(a), PR.IP-1, PR.IP-2, SRG-OS-000480-GPOS-00228, RHEL-08-020351, 5.6.5, SV-230383r627750_rule |
| Description | To ensure the default umask controlled by /etc/login.defs is set properly,
add or correct the UMASK setting in /etc/login.defs to read as follows:
UMASK 027 |
| Rationale | The umask value influences the permissions assigned to files when they are created.
A misconfigured umask value could result in files with excessive permissions that can be read and
written to by unauthorized users. |
Verify the existence of var_accounts_user_umask_as_number variable oval:ssg-test_existence_of_var_accounts_user_umask_as_number_variable:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-var_accounts_user_umask_umask_as_number:var:1 | 23 |
Test the retrieved /etc/login.defs umask value(s) match the var_accounts_user_umask requirement oval:ssg-tst_accounts_umask_etc_login_defs:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-var_etc_login_defs_umask_as_number:var:1 | 23 |
Ensure the Default Umask is Set Correctly in /etc/profile
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_umask_etc_profile:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-81035-8 References: BP28(R35), 18, APO13.01, BAI03.01, BAI03.02, BAI03.03, CCI-000366, 4.3.4.3.3, A.14.1.1, A.14.2.1, A.14.2.5, A.6.1.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-6(1), CM-6(a), PR.IP-2, SRG-OS-000480-GPOS-00228, SRG-OS-000480-GPOS-00227, RHEL-08-020353, 5.6.5, SV-230385r792902_rule |
| Description | To ensure the default umask controlled by /etc/profile is set properly,
add or correct the umask setting in /etc/profile to read as follows:
umask 027 |
| Rationale | The umask value influences the permissions assigned to files when they are created.
A misconfigured umask value could result in files with excessive permissions that can be read or
written to by unauthorized users. |
Verify the existence of var_accounts_user_umask_as_number variable oval:ssg-test_existence_of_var_accounts_user_umask_as_number_variable:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-var_accounts_user_umask_umask_as_number:var:1 | 23 |
Test the retrieved /etc/profile umask value(s) match the var_accounts_user_umask requirement oval:ssg-tst_accounts_umask_etc_profile:tst:1 true
Following items have been found on the system:
| Var ref | Value | Value | Value | Value | Value | Value | Value | Value |
|---|---|---|---|---|---|---|---|---|
| oval:ssg-var_etc_profile_umask_as_number:var:1 | 23 | 23 | 23 | 23 | 23 | 23 | 23 | 23 |
Set Interactive Session Timeout
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_tmout |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_tmout:def:1 |
| Time | 2022-11-07T15:05:07+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80673-7 References: BP28(R29), 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.11, CCI-000057, CCI-001133, CCI-002361, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CIP-004-6 R2.2.3, CIP-007-3 R5.1, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, AC-12, SC-10, AC-2(5), CM-6(a), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000163-GPOS-00072, SRG-OS-000029-GPOS-00010, SRG-OS-000163-VMM-000700, SRG-OS-000279-VMM-001010, 5.6.3 |
| Description | Setting the TMOUT option in /etc/profile ensures that
all user sessions will terminate based on inactivity.
The value of TMOUT should be exported and read only.
The TMOUT
setting in a file loaded by /etc/profile, e.g.
/etc/profile.d/tmout.sh should read as follows:
declare -xr TMOUT=900 |
| Rationale | Terminating an idle session within a short time period reduces
the window of opportunity for unauthorized personnel to take control of a
management session enabled on the console or console port that has been
left unattended. |
TMOUT in /etc/profile oval:ssg-test_etc_profile_tmout:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_etc_profile_tmout:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/profile | ^[\s]*declare[\s]+-xr[\s]+TMOUT=([\w$]+).*$ | 1 |
TMOUT in /etc/profile.d/*.sh oval:ssg-test_etc_profiled_tmout:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/profile.d/tmout.sh | declare -xr TMOUT=900 |
User Initialization Files Must Not Run World-Writable Programs
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_user_dot_no_world_writable_programs |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_user_dot_no_world_writable_programs:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-84039-7 References: CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010660, 6.2.12, SV-230309r627750_rule |
| Description | Set the mode on files being executed by the user initialization files with the
following command:
$ sudo chmod o-w FILE |
| Rationale | If user start-up files execute world-writable programs, especially in
unprotected directories, they could be maliciously modified to destroy user
files or otherwise compromise the system at the user level. If the system is
compromised at the user level, it is easier to elevate privileges to eventually
compromise the system at the root and network level. |
Init files do not execute world-writable programs oval:ssg-test_accounts_user_dot_no_world_writable_programs:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_user_dot_no_world_writable_programs_init_files:obj:1 of type textfilecontent54_object
| Behaviors | Path | Filename | Pattern | Instance | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| no value | 1 |
All Interactive Users Home Directories Must Exist
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_exists |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_user_interactive_home_directory_exists:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83424-2 References: CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010750, 6.2.9, SV-230323r627750_rule |
| Description | Create home directories to all interactive users that currently do not
have a home directory assigned. Use the following commands to create the user
home directory assigned in /etc/passwd:
$ sudo mkdir /home/USER |
| Rationale | If a local interactive user has a home directory defined that does not exist,
the user may be given access to the / directory as the current working directory
upon logon. This could create a Denial of Service because the user would not be
able to access their logon configuration files, and it may give them visibility
to system files they normally would not be able to access. |
Check the existence of interactive users. oval:ssg-test_accounts_user_interactive_home_directory_exists:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-var_accounts_user_interactive_home_directory_exists_dirs_count_fs:var:1 | 1 |
Check the existence of interactive users. oval:ssg-test_accounts_user_interactive_home_directory_exists_users:tst:1 false
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-var_accounts_user_interactive_home_directory_exists_dirs_count:var:1 | 1 |
All Interactive User Home Directories Must Be Group-Owned By The Primary User
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupownership_home_directories |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_groupownership_home_directories:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83434-1 References: CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010740, 6.2.10, SV-230322r743963_rule |
| Description | Change the group owner of interactive users home directory to the
group found in /etc/passwd. To change the group owner of
interactive users home directory, use the following command:
$ sudo chgrp USER_GROUP /home/USERThis rule ensures every home directory related to an interactive user is group-owned by an interactive user. It also ensures that interactive users are group-owners of one and only one home directory. |
| Rationale | If the Group Identifier (GID) of a local interactive users home directory is
not the same as the primary GID of the user, this would allow unauthorized
access to the users files, and users that share the same group may not be
able to access files that they legitimately should. |
| Warnings | warning
Due to OVAL limitation, this rule can report a false negative in a
specific situation where two interactive users swap the group-ownership
of their respective home directories. |
All home directories are group-owned by a local interactive group oval:ssg-test_file_groupownership_home_directories:tst:1 true
Following items have been found on the system:
| Path | Type | UID | GID | Size (B) | Permissions |
|---|---|---|---|---|---|
| /home/azureuser/ | directory | 1000 | 1000 | 182 | rwx------ |
All Interactive User Home Directories Must Be Owned By The Primary User
| Rule ID | xccdf_org.ssgproject.content_rule_file_ownership_home_directories |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_ownership_home_directories:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-86131-0 References: CCI-000366, SRG-OS-000480-GPOS-00227, 6.2.10 |
| Description | Change the owner of interactive users home directories to that correct
owner. To change the owner of a interactive users home directory, use
the following command:
$ sudo chown USER /home/USERThis rule ensures every home directory related to an interactive user is owned by an interactive user. It also ensures that interactive users are owners of one and only one home directory. |
| Rationale | If a local interactive user does not own their home directory, unauthorized
users could access or modify the user's files, and the users may not be able to
access their own files. |
| Warnings | warning
Due to OVAL limitation, this rule can report a false negative in a
specific situation where two interactive users swap the ownership of
their respective home directories. |
All home directories are owned by a local interactive user oval:ssg-test_file_ownership_home_directories:tst:1 true
Following items have been found on the system:
| Path | Type | UID | GID | Size (B) | Permissions |
|---|---|---|---|---|---|
| /home/azureuser/ | directory | 1000 | 1000 | 182 | rwx------ |
It should not exist duplicated owners of home dirs oval:ssg-test_file_ownership_home_directories_duplicated:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-var_file_ownership_home_directories_uids_count:var:1 | 1 |
Enable authselect
| Rule ID | xccdf_org.ssgproject.content_rule_enable_authselect |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-enable_authselect:def:1 |
| Time | 2022-11-07T15:05:07+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-88248-0 References: BP28(R5), CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), AC-3, FIA_UAU.1, FIA_AFL.1, SRG-OS-000480-GPOS-00227, 1.2.3 |
| Description | Configure user authentication setup to use the authselect tool.
If authselect profile is selected, the rule will enable the sssd profile. |
| Rationale | Authselect is a successor to authconfig.
It is a tool to select system authentication and identity sources from a list of supported
profiles instead of letting the administrator manually build the PAM stack.
That way, it avoids potential breakage of configuration, as it ships several tested profiles
that are well tested and supported to solve different use-cases. |
| Warnings | warning
If the sudo authselect select command returns an error informing that the chosen
profile cannot be selected, it is probably because PAM files have already been modified by
the administrator. If this is the case, in order to not overwrite the desired changes made
by the administrator, the current PAM settings should be investigated before forcing the
selection of the chosen authselect profile. |
The 'fingerprint-auth' PAM config is a symlink to its authselect counterpart oval:ssg-test_pam_fingerprint_symlinked_to_authselect:tst:1 true
Following items have been found on the system:
| Filepath | Canonical path |
|---|---|
| /etc/pam.d/fingerprint-auth | /etc/authselect/fingerprint-auth |
The 'password-auth' PAM config is a symlink to its authselect counterpart oval:ssg-test_pam_password_symlinked_to_authselect:tst:1 true
Following items have been found on the system:
| Filepath | Canonical path |
|---|---|
| /etc/pam.d/password-auth | /etc/authselect/password-auth |
The 'postlogin' PAM config is a symlink to its authselect counterpart oval:ssg-test_pam_postlogin_symlinked_to_authselect:tst:1 true
Following items have been found on the system:
| Filepath | Canonical path |
|---|---|
| /etc/pam.d/postlogin | /etc/authselect/postlogin |
The 'smartcard-auth' PAM config is a symlink to its authselect counterpart oval:ssg-test_pam_smartcard_symlinked_to_authselect:tst:1 true
Following items have been found on the system:
| Filepath | Canonical path |
|---|---|
| /etc/pam.d/smartcard-auth | /etc/authselect/smartcard-auth |
The 'system-auth' PAM config is a symlink to its authselect counterpart oval:ssg-test_pam_system_symlinked_to_authselect:tst:1 true
Following items have been found on the system:
| Filepath | Canonical path |
|---|---|
| /etc/pam.d/system-auth | /etc/authselect/system-auth |
Record Events that Modify the System's Discretionary Access Controls - chmod
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_chmod:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80685-1 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000458-VMM-001810, SRG-OS-000474-VMM-001940, RHEL-08-030490, 4.1.3.9, SV-230456r810462_rule |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
audit augenrules oval:ssg-test_audit_rules_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit chmod oval:ssg-test_32bit_ardm_chmod_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/perm_mod.rules | -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod |
64 bit architecture oval:ssg-test_system_info_architecture_x86_64:tst:1 true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppc_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_aarch_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_s390_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
audit augenrules 64-bit chmod oval:ssg-test_64bit_ardm_chmod_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/perm_mod.rules | -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod |
audit auditctl oval:ssg-test_audit_rules_auditctl:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit chmod oval:ssg-test_32bit_ardm_chmod_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod |
64 bit architecture oval:ssg-test_system_info_architecture_x86_64:tst:1 true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppc_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_aarch_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_s390_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
audit auditctl 64-bit chmod oval:ssg-test_64bit_ardm_chmod_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod |
Record Events that Modify the System's Discretionary Access Controls - chown
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_chown:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80686-9 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, SRG-OS-000458-VMM-001810, SRG-OS-000474-VMM-001940, RHEL-08-030480, 4.1.3.9, SV-230455r810459_rule |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
audit augenrules oval:ssg-test_audit_rules_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit chown oval:ssg-test_32bit_ardm_chown_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/perm_mod.rules | -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod |
64 bit architecture oval:ssg-test_system_info_architecture_x86_64:tst:1 true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppc_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_aarch_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_s390_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
audit augenrules 64-bit chown oval:ssg-test_64bit_ardm_chown_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/perm_mod.rules | -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod |
audit auditctl oval:ssg-test_audit_rules_auditctl:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit chown oval:ssg-test_32bit_ardm_chown_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod |
64 bit architecture oval:ssg-test_system_info_architecture_x86_64:tst:1 true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppc_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_aarch_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_s390_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
audit auditctl 64-bit chown oval:ssg-test_64bit_ardm_chown_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod |
Record Events that Modify the System's Discretionary Access Controls - fchmod
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_fchmod:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80687-7 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000458-VMM-001810, SRG-OS-000474-VMM-001940, RHEL-08-030490, 4.1.3.9, SV-230456r810462_rule |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
audit augenrules oval:ssg-test_audit_rules_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit fchmod oval:ssg-test_32bit_ardm_fchmod_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/perm_mod.rules | -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod |
64 bit architecture oval:ssg-test_system_info_architecture_x86_64:tst:1 true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppc_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_aarch_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_s390_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
audit augenrules 64-bit fchmod oval:ssg-test_64bit_ardm_fchmod_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/perm_mod.rules | -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod |
audit auditctl oval:ssg-test_audit_rules_auditctl:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit fchmod oval:ssg-test_32bit_ardm_fchmod_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod |
64 bit architecture oval:ssg-test_system_info_architecture_x86_64:tst:1 true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppc_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_aarch_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_s390_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
audit auditctl 64-bit fchmod oval:ssg-test_64bit_ardm_fchmod_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod |
Record Events that Modify the System's Discretionary Access Controls - fchmodat
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_fchmodat:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80688-5 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000458-VMM-001810, SRG-OS-000474-VMM-001940, RHEL-08-030490, 4.1.3.9, SV-230456r810462_rule |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
audit augenrules oval:ssg-test_audit_rules_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit fchmodat oval:ssg-test_32bit_ardm_fchmodat_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/perm_mod.rules | -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod |
64 bit architecture oval:ssg-test_system_info_architecture_x86_64:tst:1 true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppc_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_aarch_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_s390_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
audit augenrules 64-bit fchmodat oval:ssg-test_64bit_ardm_fchmodat_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/perm_mod.rules | -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod |
audit auditctl oval:ssg-test_audit_rules_auditctl:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit fchmodat oval:ssg-test_32bit_ardm_fchmodat_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod |
64 bit architecture oval:ssg-test_system_info_architecture_x86_64:tst:1 true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppc_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_aarch_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_s390_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
audit auditctl 64-bit fchmodat oval:ssg-test_64bit_ardm_fchmodat_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod |
Record Events that Modify the System's Discretionary Access Controls - fchown
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_fchown:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80689-3 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, SRG-OS-000458-VMM-001810, SRG-OS-000474-VMM-001940, RHEL-08-030480, 4.1.3.9, SV-230455r810459_rule |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
audit augenrules oval:ssg-test_audit_rules_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit fchown oval:ssg-test_32bit_ardm_fchown_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/perm_mod.rules | -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod |
64 bit architecture oval:ssg-test_system_info_architecture_x86_64:tst:1 true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppc_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_aarch_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_s390_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
audit augenrules 64-bit fchown oval:ssg-test_64bit_ardm_fchown_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/perm_mod.rules | -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod |
audit auditctl oval:ssg-test_audit_rules_auditctl:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit fchown oval:ssg-test_32bit_ardm_fchown_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod |
64 bit architecture oval:ssg-test_system_info_architecture_x86_64:tst:1 true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppc_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_aarch_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_s390_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
audit auditctl 64-bit fchown oval:ssg-test_64bit_ardm_fchown_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod |
Record Events that Modify the System's Discretionary Access Controls - fchownat
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_fchownat:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80690-1 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, SRG-OS-000458-VMM-001810, SRG-OS-000474-VMM-001940, RHEL-08-030480, 4.1.3.9, SV-230455r810459_rule |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
audit augenrules oval:ssg-test_audit_rules_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit fchownat oval:ssg-test_32bit_ardm_fchownat_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/perm_mod.rules | -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod |
64 bit architecture oval:ssg-test_system_info_architecture_x86_64:tst:1 true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppc_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_aarch_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_s390_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
audit augenrules 64-bit fchownat oval:ssg-test_64bit_ardm_fchownat_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/perm_mod.rules | -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod |
audit auditctl oval:ssg-test_audit_rules_auditctl:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit fchownat oval:ssg-test_32bit_ardm_fchownat_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod |
64 bit architecture oval:ssg-test_system_info_architecture_x86_64:tst:1 true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppc_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_aarch_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_s390_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
audit auditctl 64-bit fchownat oval:ssg-test_64bit_ardm_fchownat_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod |
Record Events that Modify the System's Discretionary Access Controls - fremovexattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_fremovexattr:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80691-9 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000064-GPOS-00033, SRG-OS-000458-VMM-001810, SRG-OS-000474-VMM-001940, RHEL-08-030200, 4.1.3.9, SV-230413r810463_rule |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
audit augenrules oval:ssg-test_audit_rules_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit fremovexattr oval:ssg-test_32bit_ardm_fremovexattr_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/perm_mod.rules | -a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod |
audit augenrules 32-bit fremovexattr auid=0 oval:ssg-test_32bit_ardm_fremovexattr_augenrules_auid_0:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/perm_mod.rules | -a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod |
64 bit architecture oval:ssg-test_system_info_architecture_x86_64:tst:1 true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppc_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_aarch_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_s390_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
audit augenrules 64-bit fremovexattr oval:ssg-test_64bit_ardm_fremovexattr_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/perm_mod.rules | -a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod |
audit augenrules 64-bit fremovexattr oval:ssg-test_64bit_ardm_fremovexattr_augenrules_auid_0:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/perm_mod.rules | -a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod |
audit auditctl oval:ssg-test_audit_rules_auditctl:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit fremovexattr oval:ssg-test_32bit_ardm_fremovexattr_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod |
audit auditctl 32-bit fremovexattr oval:ssg-test_32bit_ardm_fremovexattr_auditctl_auid_0:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod |
64 bit architecture oval:ssg-test_system_info_architecture_x86_64:tst:1 true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppc_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_aarch_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_s390_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
audit auditctl 64-bit fremovexattr oval:ssg-test_64bit_ardm_fremovexattr_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod |
audit auditctl 64-bit fremovexattr oval:ssg-test_64bit_ardm_fremovexattr_auditctl_auid_0:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod |
Record Events that Modify the System's Discretionary Access Controls - fsetxattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_fsetxattr:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80692-7 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000466-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000064-GPOS-00033, SRG-OS-000458-VMM-001810, SRG-OS-000474-VMM-001940, RHEL-08-030200, 4.1.3.9, SV-230413r810463_rule |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
audit augenrules oval:ssg-test_audit_rules_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit fsetxattr oval:ssg-test_32bit_ardm_fsetxattr_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/perm_mod.rules | -a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod |
audit augenrules 32-bit fsetxattr auid=0 oval:ssg-test_32bit_ardm_fsetxattr_augenrules_auid_0:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/perm_mod.rules | -a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod |
64 bit architecture oval:ssg-test_system_info_architecture_x86_64:tst:1 true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppc_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_aarch_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_s390_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
audit augenrules 64-bit fsetxattr oval:ssg-test_64bit_ardm_fsetxattr_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/perm_mod.rules | -a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod |
audit augenrules 64-bit fsetxattr oval:ssg-test_64bit_ardm_fsetxattr_augenrules_auid_0:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/perm_mod.rules | -a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod |
audit auditctl oval:ssg-test_audit_rules_auditctl:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit fsetxattr oval:ssg-test_32bit_ardm_fsetxattr_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod |
audit auditctl 32-bit fsetxattr oval:ssg-test_32bit_ardm_fsetxattr_auditctl_auid_0:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod |
64 bit architecture oval:ssg-test_system_info_architecture_x86_64:tst:1 true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppc_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_aarch_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_s390_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
audit auditctl 64-bit fsetxattr oval:ssg-test_64bit_ardm_fsetxattr_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod |
audit auditctl 64-bit fsetxattr oval:ssg-test_64bit_ardm_fsetxattr_auditctl_auid_0:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod |
Record Events that Modify the System's Discretionary Access Controls - lchown
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_lchown:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80693-5 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, SRG-OS-000458-VMM-001810, SRG-OS-000474-VMM-001940, RHEL-08-030480, 4.1.3.9, SV-230455r810459_rule |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
audit augenrules oval:ssg-test_audit_rules_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit lchown oval:ssg-test_32bit_ardm_lchown_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/perm_mod.rules | -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod |
64 bit architecture oval:ssg-test_system_info_architecture_x86_64:tst:1 true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppc_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_aarch_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_s390_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
audit augenrules 64-bit lchown oval:ssg-test_64bit_ardm_lchown_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/perm_mod.rules | -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod |
audit auditctl oval:ssg-test_audit_rules_auditctl:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit lchown oval:ssg-test_32bit_ardm_lchown_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod |
64 bit architecture oval:ssg-test_system_info_architecture_x86_64:tst:1 true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppc_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_aarch_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_s390_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
audit auditctl 64-bit lchown oval:ssg-test_64bit_ardm_lchown_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod |
Record Events that Modify the System's Discretionary Access Controls - lremovexattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_lremovexattr:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80694-3 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210, SRG-OS-000064-GPOS-00033, SRG-OS-000458-VMM-001810, SRG-OS-000474-VMM-001940, RHEL-08-030200, 4.1.3.9, SV-230413r810463_rule |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
audit augenrules oval:ssg-test_audit_rules_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit lremovexattr oval:ssg-test_32bit_ardm_lremovexattr_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/perm_mod.rules | -a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod |
audit augenrules 32-bit lremovexattr auid=0 oval:ssg-test_32bit_ardm_lremovexattr_augenrules_auid_0:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/perm_mod.rules | -a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod |
64 bit architecture oval:ssg-test_system_info_architecture_x86_64:tst:1 true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppc_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_aarch_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_s390_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
audit augenrules 64-bit lremovexattr oval:ssg-test_64bit_ardm_lremovexattr_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/perm_mod.rules | -a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod |
audit augenrules 64-bit lremovexattr oval:ssg-test_64bit_ardm_lremovexattr_augenrules_auid_0:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/perm_mod.rules | -a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod |
audit auditctl oval:ssg-test_audit_rules_auditctl:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit lremovexattr oval:ssg-test_32bit_ardm_lremovexattr_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod |
audit auditctl 32-bit lremovexattr oval:ssg-test_32bit_ardm_lremovexattr_auditctl_auid_0:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod |
64 bit architecture oval:ssg-test_system_info_architecture_x86_64:tst:1 true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppc_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_aarch_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_s390_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
audit auditctl 64-bit lremovexattr oval:ssg-test_64bit_ardm_lremovexattr_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod |
audit auditctl 64-bit lremovexattr oval:ssg-test_64bit_ardm_lremovexattr_auditctl_auid_0:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod |
Record Events that Modify the System's Discretionary Access Controls - lsetxattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_lsetxattr:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80695-0 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000466-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000064-GPOS-00033, SRG-OS-000458-VMM-001810, SRG-OS-000474-VMM-001940, RHEL-08-030200, 4.1.3.9, SV-230413r810463_rule |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
audit augenrules oval:ssg-test_audit_rules_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit lsetxattr oval:ssg-test_32bit_ardm_lsetxattr_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/perm_mod.rules | -a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod |
audit augenrules 32-bit lsetxattr auid=0 oval:ssg-test_32bit_ardm_lsetxattr_augenrules_auid_0:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/perm_mod.rules | -a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod |
64 bit architecture oval:ssg-test_system_info_architecture_x86_64:tst:1 true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppc_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_aarch_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_s390_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
audit augenrules 64-bit lsetxattr oval:ssg-test_64bit_ardm_lsetxattr_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/perm_mod.rules | -a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod |
audit augenrules 64-bit lsetxattr oval:ssg-test_64bit_ardm_lsetxattr_augenrules_auid_0:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/perm_mod.rules | -a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod |
audit auditctl oval:ssg-test_audit_rules_auditctl:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit lsetxattr oval:ssg-test_32bit_ardm_lsetxattr_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod |
audit auditctl 32-bit lsetxattr oval:ssg-test_32bit_ardm_lsetxattr_auditctl_auid_0:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod |
64 bit architecture oval:ssg-test_system_info_architecture_x86_64:tst:1 true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppc_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_aarch_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_s390_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
audit auditctl 64-bit lsetxattr oval:ssg-test_64bit_ardm_lsetxattr_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod |
audit auditctl 64-bit lsetxattr oval:ssg-test_64bit_ardm_lsetxattr_auditctl_auid_0:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod |
Record Events that Modify the System's Discretionary Access Controls - removexattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_removexattr:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80696-8 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210, SRG-OS-000064-GPOS-00033, SRG-OS-000458-VMM-001810, SRG-OS-000474-VMM-001940, RHEL-08-030200, 4.1.3.9, SV-230413r810463_rule |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
audit augenrules oval:ssg-test_audit_rules_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit removexattr oval:ssg-test_32bit_ardm_removexattr_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/perm_mod.rules | -a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod |
audit augenrules 32-bit removexattr auid=0 oval:ssg-test_32bit_ardm_removexattr_augenrules_auid_0:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/perm_mod.rules | -a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod |
64 bit architecture oval:ssg-test_system_info_architecture_x86_64:tst:1 true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppc_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_aarch_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_s390_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
audit augenrules 64-bit removexattr oval:ssg-test_64bit_ardm_removexattr_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/perm_mod.rules | -a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod |
audit augenrules 64-bit removexattr oval:ssg-test_64bit_ardm_removexattr_augenrules_auid_0:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/perm_mod.rules | -a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod |
audit auditctl oval:ssg-test_audit_rules_auditctl:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit removexattr oval:ssg-test_32bit_ardm_removexattr_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod |
audit auditctl 32-bit removexattr oval:ssg-test_32bit_ardm_removexattr_auditctl_auid_0:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod |
64 bit architecture oval:ssg-test_system_info_architecture_x86_64:tst:1 true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppc_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_aarch_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_s390_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
audit auditctl 64-bit removexattr oval:ssg-test_64bit_ardm_removexattr_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod |
audit auditctl 64-bit removexattr oval:ssg-test_64bit_ardm_removexattr_auditctl_auid_0:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod |
Record Events that Modify the System's Discretionary Access Controls - setxattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_dac_modification_setxattr:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80697-6 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000458-VMM-001810, SRG-OS-000474-VMM-001940, RHEL-08-030200, 4.1.3.9, SV-230413r810463_rule |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
audit augenrules oval:ssg-test_audit_rules_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit setxattr oval:ssg-test_32bit_ardm_setxattr_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/perm_mod.rules | -a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod |
audit augenrules 32-bit setxattr auid=0 oval:ssg-test_32bit_ardm_setxattr_augenrules_auid_0:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/perm_mod.rules | -a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod |
64 bit architecture oval:ssg-test_system_info_architecture_x86_64:tst:1 true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppc_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_aarch_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_s390_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
audit augenrules 64-bit setxattr oval:ssg-test_64bit_ardm_setxattr_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/perm_mod.rules | -a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod |
audit augenrules 64-bit setxattr oval:ssg-test_64bit_ardm_setxattr_augenrules_auid_0:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/perm_mod.rules | -a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod |
audit auditctl oval:ssg-test_audit_rules_auditctl:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit setxattr oval:ssg-test_32bit_ardm_setxattr_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod |
audit auditctl 32-bit setxattr oval:ssg-test_32bit_ardm_setxattr_auditctl_auid_0:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod |
64 bit architecture oval:ssg-test_system_info_architecture_x86_64:tst:1 true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppc_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_aarch_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_s390_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
audit auditctl 64-bit setxattr oval:ssg-test_64bit_ardm_setxattr_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod |
audit auditctl 64-bit setxattr oval:ssg-test_64bit_ardm_setxattr_auditctl_auid_0:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod |
Ensure auditd Collects File Deletion Events by User - rename
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_file_deletion_events_rename:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80703-2 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-000366, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000466-VMM-001870, SRG-OS-000468-VMM-001890, RHEL-08-030361, 4.1.3.13, SV-230439r810465_rule |
| Description | At a minimum, the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=deleteIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete |
| Rationale | Auditing file deletions will create an audit trail for files that are removed
from the system. The audit trail could aid in system troubleshooting, as well as, detecting
malicious processes that attempt to delete log files to conceal their presence. |
audit augenrules oval:ssg-test_audit_rules_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit rename oval:ssg-test_32bit_ardm_rename_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/delete.rules | -a always,exit -F arch=b32 -S rename -S renameat -S unlink -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete |
64 bit architecture oval:ssg-test_system_info_architecture_x86_64:tst:1 true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppc_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_aarch_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_s390_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
audit augenrules 64-bit rename oval:ssg-test_64bit_ardm_rename_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/delete.rules | -a always,exit -F arch=b64 -S rename -S renameat -S unlink -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete |
audit auditctl oval:ssg-test_audit_rules_auditctl:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit rename oval:ssg-test_32bit_ardm_rename_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b32 -S rename -S renameat -S unlink -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete |
64 bit architecture oval:ssg-test_system_info_architecture_x86_64:tst:1 true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppc_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_aarch_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_s390_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
audit auditctl 64-bit rename oval:ssg-test_64bit_ardm_rename_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b64 -S rename -S renameat -S unlink -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete |
Ensure auditd Collects File Deletion Events by User - renameat
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_file_deletion_events_renameat:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80704-0 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-000366, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000466-VMM-001870, SRG-OS-000468-VMM-001890, RHEL-08-030361, 4.1.3.13, SV-230439r810465_rule |
| Description | At a minimum, the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=deleteIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete |
| Rationale | Auditing file deletions will create an audit trail for files that are removed
from the system. The audit trail could aid in system troubleshooting, as well as, detecting
malicious processes that attempt to delete log files to conceal their presence. |
audit augenrules oval:ssg-test_audit_rules_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit renameat oval:ssg-test_32bit_ardm_renameat_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/delete.rules | -a always,exit -F arch=b32 -S rename -S renameat -S unlink -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete |
64 bit architecture oval:ssg-test_system_info_architecture_x86_64:tst:1 true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppc_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_aarch_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_s390_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
audit augenrules 64-bit renameat oval:ssg-test_64bit_ardm_renameat_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/delete.rules | -a always,exit -F arch=b64 -S rename -S renameat -S unlink -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete |
audit auditctl oval:ssg-test_audit_rules_auditctl:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit renameat oval:ssg-test_32bit_ardm_renameat_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b32 -S rename -S renameat -S unlink -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete |
64 bit architecture oval:ssg-test_system_info_architecture_x86_64:tst:1 true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppc_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_aarch_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_s390_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
audit auditctl 64-bit renameat oval:ssg-test_64bit_ardm_renameat_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b64 -S rename -S renameat -S unlink -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete |
Ensure auditd Collects File Deletion Events by User - unlink
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_file_deletion_events_unlink:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80706-5 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-000366, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000466-VMM-001870, SRG-OS-000468-VMM-001890, RHEL-08-030361, 4.1.3.13, SV-230439r810465_rule |
| Description | At a minimum, the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=deleteIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete |
| Rationale | Auditing file deletions will create an audit trail for files that are removed
from the system. The audit trail could aid in system troubleshooting, as well as, detecting
malicious processes that attempt to delete log files to conceal their presence. |
audit augenrules oval:ssg-test_audit_rules_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit unlink oval:ssg-test_32bit_ardm_unlink_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/delete.rules | -a always,exit -F arch=b32 -S rename -S renameat -S unlink -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete |
64 bit architecture oval:ssg-test_system_info_architecture_x86_64:tst:1 true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppc_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_aarch_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_s390_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
audit augenrules 64-bit unlink oval:ssg-test_64bit_ardm_unlink_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/delete.rules | -a always,exit -F arch=b64 -S rename -S renameat -S unlink -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete |
audit auditctl oval:ssg-test_audit_rules_auditctl:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit unlink oval:ssg-test_32bit_ardm_unlink_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b32 -S rename -S renameat -S unlink -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete |
64 bit architecture oval:ssg-test_system_info_architecture_x86_64:tst:1 true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppc_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_aarch_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_s390_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
audit auditctl 64-bit unlink oval:ssg-test_64bit_ardm_unlink_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b64 -S rename -S renameat -S unlink -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete |
Ensure auditd Collects File Deletion Events by User - unlinkat
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_file_deletion_events_unlinkat:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80707-3 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-000366, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000466-VMM-001870, SRG-OS-000468-VMM-001890, RHEL-08-030361, 4.1.3.13, SV-230439r810465_rule |
| Description | At a minimum, the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=deleteIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete |
| Rationale | Auditing file deletions will create an audit trail for files that are removed
from the system. The audit trail could aid in system troubleshooting, as well as, detecting
malicious processes that attempt to delete log files to conceal their presence. |
audit augenrules oval:ssg-test_audit_rules_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit unlinkat oval:ssg-test_32bit_ardm_unlinkat_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/delete.rules | -a always,exit -F arch=b32 -S rename -S renameat -S unlink -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete |
64 bit architecture oval:ssg-test_system_info_architecture_x86_64:tst:1 true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppc_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_aarch_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_s390_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
audit augenrules 64-bit unlinkat oval:ssg-test_64bit_ardm_unlinkat_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/delete.rules | -a always,exit -F arch=b64 -S rename -S renameat -S unlink -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete |
audit auditctl oval:ssg-test_audit_rules_auditctl:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit unlinkat oval:ssg-test_32bit_ardm_unlinkat_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b32 -S rename -S renameat -S unlink -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete |
64 bit architecture oval:ssg-test_system_info_architecture_x86_64:tst:1 true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppc_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_aarch_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_s390_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
audit auditctl 64-bit unlinkat oval:ssg-test_64bit_ardm_unlinkat_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b64 -S rename -S renameat -S unlink -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete |
Record Unsuccessful Access Attempts to Files - creat
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_creat:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80751-1 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000458-VMM-001810, SRG-OS-000461-VMM-001830, RHEL-08-030420, 4.1.3.7, SV-230449r810455_rule |
| Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
audit augenrules oval:ssg-test_audit_rules_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces oval:ssg-test_32bit_arufm_eacces_creat_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/access.rules | -a always,exit -F arch=b32 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access |
audit augenrules 32-bit file eperm oval:ssg-test_32bit_arufm_eperm_creat_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/access.rules | -a always,exit -F arch=b32 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
64 bit architecture oval:ssg-test_system_info_architecture_x86_64:tst:1 true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppc_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_aarch_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_s390_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
audit augenrules 64-bit file eacces oval:ssg-test_64bit_arufm_eacces_creat_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/access.rules | -a always,exit -F arch=b64 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access |
audit augenrules 64-bit file eperm oval:ssg-test_64bit_arufm_eperm_creat_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/access.rules | -a always,exit -F arch=b64 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
audit auditctl oval:ssg-test_audit_rules_auditctl:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces oval:ssg-test_32bit_arufm_eacces_creat_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b32 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access |
audit auditctl 32-bit file eperm oval:ssg-test_32bit_arufm_eperm_creat_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b32 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
64 bit architecture oval:ssg-test_system_info_architecture_x86_64:tst:1 true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppc_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_aarch_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_s390_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
audit auditctl 64-bit file eacces oval:ssg-test_64bit_arufm_eacces_creat_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b64 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access |
audit auditctl 64-bit file eperm oval:ssg-test_64bit_arufm_eperm_creat_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b64 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
Record Unsuccessful Access Attempts to Files - ftruncate
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_ftruncate:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80752-9 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000458-VMM-001810, SRG-OS-000461-VMM-001830, RHEL-08-030420, 4.1.3.7, SV-230449r810455_rule |
| Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
audit augenrules oval:ssg-test_audit_rules_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces oval:ssg-test_32bit_arufm_eacces_ftruncate_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/access.rules | -a always,exit -F arch=b32 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access |
audit augenrules 32-bit file eperm oval:ssg-test_32bit_arufm_eperm_ftruncate_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/access.rules | -a always,exit -F arch=b32 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
64 bit architecture oval:ssg-test_system_info_architecture_x86_64:tst:1 true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppc_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_aarch_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_s390_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
audit augenrules 64-bit file eacces oval:ssg-test_64bit_arufm_eacces_ftruncate_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/access.rules | -a always,exit -F arch=b64 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access |
audit augenrules 64-bit file eperm oval:ssg-test_64bit_arufm_eperm_ftruncate_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/access.rules | -a always,exit -F arch=b64 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
audit auditctl oval:ssg-test_audit_rules_auditctl:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces oval:ssg-test_32bit_arufm_eacces_ftruncate_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b32 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access |
audit auditctl 32-bit file eperm oval:ssg-test_32bit_arufm_eperm_ftruncate_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b32 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
64 bit architecture oval:ssg-test_system_info_architecture_x86_64:tst:1 true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppc_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_aarch_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_s390_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
audit auditctl 64-bit file eacces oval:ssg-test_64bit_arufm_eacces_ftruncate_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b64 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access |
audit auditctl 64-bit file eperm oval:ssg-test_64bit_arufm_eperm_ftruncate_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b64 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
Record Unsuccessful Access Attempts to Files - open
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_open:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80753-7 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000458-VMM-001810, SRG-OS-000461-VMM-001830, RHEL-08-030420, 4.1.3.7, SV-230449r810455_rule |
| Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
audit augenrules oval:ssg-test_audit_rules_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces oval:ssg-test_32bit_arufm_eacces_open_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/access.rules | -a always,exit -F arch=b32 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access |
audit augenrules 32-bit file eperm oval:ssg-test_32bit_arufm_eperm_open_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/access.rules | -a always,exit -F arch=b32 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
64 bit architecture oval:ssg-test_system_info_architecture_x86_64:tst:1 true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppc_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_aarch_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_s390_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
audit augenrules 64-bit file eacces oval:ssg-test_64bit_arufm_eacces_open_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/access.rules | -a always,exit -F arch=b64 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access |
audit augenrules 64-bit file eperm oval:ssg-test_64bit_arufm_eperm_open_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/access.rules | -a always,exit -F arch=b64 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
audit auditctl oval:ssg-test_audit_rules_auditctl:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces oval:ssg-test_32bit_arufm_eacces_open_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b32 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access |
audit auditctl 32-bit file eperm oval:ssg-test_32bit_arufm_eperm_open_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b32 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
64 bit architecture oval:ssg-test_system_info_architecture_x86_64:tst:1 true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppc_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_aarch_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_s390_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
audit auditctl 64-bit file eacces oval:ssg-test_64bit_arufm_eacces_open_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b64 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access |
audit auditctl 64-bit file eperm oval:ssg-test_64bit_arufm_eperm_open_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b64 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
Record Unsuccessful Access Attempts to Files - openat
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_openat:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80754-5 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000458-VMM-001810, SRG-OS-000461-VMM-001830, RHEL-08-030420, 4.1.3.7, SV-230449r810455_rule |
| Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
audit augenrules oval:ssg-test_audit_rules_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces oval:ssg-test_32bit_arufm_eacces_openat_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/access.rules | -a always,exit -F arch=b32 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access |
audit augenrules 32-bit file eperm oval:ssg-test_32bit_arufm_eperm_openat_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/access.rules | -a always,exit -F arch=b32 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
64 bit architecture oval:ssg-test_system_info_architecture_x86_64:tst:1 true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppc_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_aarch_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_s390_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
audit augenrules 64-bit file eacces oval:ssg-test_64bit_arufm_eacces_openat_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/access.rules | -a always,exit -F arch=b64 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access |
audit augenrules 64-bit file eperm oval:ssg-test_64bit_arufm_eperm_openat_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/access.rules | -a always,exit -F arch=b64 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
audit auditctl oval:ssg-test_audit_rules_auditctl:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces oval:ssg-test_32bit_arufm_eacces_openat_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b32 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access |
audit auditctl 32-bit file eperm oval:ssg-test_32bit_arufm_eperm_openat_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b32 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
64 bit architecture oval:ssg-test_system_info_architecture_x86_64:tst:1 true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppc_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_aarch_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_s390_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
audit auditctl 64-bit file eacces oval:ssg-test_64bit_arufm_eacces_openat_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b64 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access |
audit auditctl 64-bit file eperm oval:ssg-test_64bit_arufm_eperm_openat_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b64 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
Record Unsuccessful Access Attempts to Files - truncate
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_unsuccessful_file_modification_truncate:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80756-0 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000458-VMM-001810, SRG-OS-000461-VMM-001830, RHEL-08-030420, 4.1.3.7, SV-230449r810455_rule |
| Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
audit augenrules oval:ssg-test_audit_rules_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit file eacces oval:ssg-test_32bit_arufm_eacces_truncate_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/access.rules | -a always,exit -F arch=b32 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access |
audit augenrules 32-bit file eperm oval:ssg-test_32bit_arufm_eperm_truncate_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/access.rules | -a always,exit -F arch=b32 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
64 bit architecture oval:ssg-test_system_info_architecture_x86_64:tst:1 true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppc_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_aarch_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_s390_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
audit augenrules 64-bit file eacces oval:ssg-test_64bit_arufm_eacces_truncate_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/access.rules | -a always,exit -F arch=b64 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access |
audit augenrules 64-bit file eperm oval:ssg-test_64bit_arufm_eperm_truncate_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/access.rules | -a always,exit -F arch=b64 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
audit auditctl oval:ssg-test_audit_rules_auditctl:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit file eacces oval:ssg-test_32bit_arufm_eacces_truncate_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b32 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access |
audit auditctl 32-bit file eperm oval:ssg-test_32bit_arufm_eperm_truncate_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b32 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
64 bit architecture oval:ssg-test_system_info_architecture_x86_64:tst:1 true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppc_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_aarch_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_s390_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
audit auditctl 64-bit file eacces oval:ssg-test_64bit_arufm_eacces_truncate_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b64 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access |
audit auditctl 64-bit file eperm oval:ssg-test_64bit_arufm_eperm_truncate_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b64 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
Ensure auditd Collects Information on Kernel Module Unloading - delete_module
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_kernel_module_loading_delete:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80711-5 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222, SRG-OS-000477-VMM-001970, RHEL-08-030390, 4.1.3.19, SV-230446r627750_rule |
| Description | To capture kernel module unloading events, use following line, setting ARCH to
either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S delete_module -F auid>=1000 -F auid!=unset -F key=modulesPlace to add the line depends on a way auditd daemon is configured. If it is configured
to use the augenrules program (the default), add the line to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl utility,
add the line to file /etc/audit/audit.rules. |
| Rationale | The removal of kernel modules can be used to alter the behavior of
the kernel and potentially introduce malicious code into kernel space. It is important
to have an audit trail of modules that have been introduced into the kernel. |
audit augenrules oval:ssg-test_audit_rules_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit delete_module oval:ssg-test_32bit_ardm_delete_module_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/module-change.rules | -a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=unset -F key=module-change |
64 bit architecture oval:ssg-test_system_info_architecture_x86_64:tst:1 true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppc_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_aarch_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_s390_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
audit augenrules 64-bit delete_module oval:ssg-test_64bit_ardm_delete_module_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/module-change.rules | -a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=unset -F key=module-change |
audit auditctl oval:ssg-test_audit_rules_auditctl:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit delete_module oval:ssg-test_32bit_ardm_delete_module_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=unset -F key=module-change |
64 bit architecture oval:ssg-test_system_info_architecture_x86_64:tst:1 true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppc_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_aarch_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_s390_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
audit auditctl 64-bit delete_module oval:ssg-test_64bit_ardm_delete_module_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=unset -F key=module-change |
Ensure auditd Collects Information on Kernel Module Loading - init_module
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_kernel_module_loading_init:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80713-1 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222, SRG-OS-000477-VMM-001970, RHEL-08-030360, 4.1.3.19, SV-230438r810464_rule |
| Description | To capture kernel module loading events, use following line, setting ARCH to
either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S init_module -F auid>=1000 -F auid!=unset -F key=modulesPlace to add the line depends on a way auditd daemon is configured. If it is configured
to use the augenrules program (the default), add the line to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl utility,
add the line to file /etc/audit/audit.rules. |
| Rationale | The addition of kernel modules can be used to alter the behavior of
the kernel and potentially introduce malicious code into kernel space. It is important
to have an audit trail of modules that have been introduced into the kernel. |
audit augenrules oval:ssg-test_audit_rules_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit init_module oval:ssg-test_32bit_ardm_init_module_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/module-change.rules | -a always,exit -F arch=b32 -S init_module -F auid>=1000 -F auid!=unset -F key=module-change |
64 bit architecture oval:ssg-test_system_info_architecture_x86_64:tst:1 true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppc_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_aarch_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_s390_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
audit augenrules 64-bit init_module oval:ssg-test_64bit_ardm_init_module_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/module-change.rules | -a always,exit -F arch=b64 -S init_module -F auid>=1000 -F auid!=unset -F key=module-change |
audit auditctl oval:ssg-test_audit_rules_auditctl:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit init_module oval:ssg-test_32bit_ardm_init_module_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b32 -S init_module -F auid>=1000 -F auid!=unset -F key=module-change |
64 bit architecture oval:ssg-test_system_info_architecture_x86_64:tst:1 true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppc_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_aarch_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_s390_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
audit auditctl 64-bit init_module oval:ssg-test_64bit_ardm_init_module_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b64 -S init_module -F auid>=1000 -F auid!=unset -F key=module-change |
Record Attempts to Alter Logon and Logout Events - faillock
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_login_events_faillock:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80718-0 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.3, SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218, SRG-OS-000473-VMM-001930, SRG-OS-000470-VMM-001900, RHEL-08-030590, 4.1.3.12, SV-230466r627750_rule |
| Description | The audit system already collects login information for all users
and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d in order to watch for attempted manual
edits of files involved in storing logon events:
-w /var/log/faillock -p wa -k loginsIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file in order to watch for unattempted manual
edits of files involved in storing logon events:
-w /var/log/faillock -p wa -k logins |
| Rationale | Manual editing of these files may indicate nefarious activity, such
as an attacker attempting to remove evidence of an intrusion. |
audit augenrules oval:ssg-test_audit_rules_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules faillock oval:ssg-test_arle_faillock_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/logins.rules | -w /var/log/faillock -p wa -k logins |
audit auditctl oval:ssg-test_audit_rules_auditctl:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl faillock oval:ssg-test_arle_faillock_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -w /var/log/faillock -p wa -k logins |
Record Attempts to Alter Logon and Logout Events - lastlog
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_login_events_lastlog:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80719-8 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.3, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000473-GPOS-00218, SRG-OS-000470-GPOS-00214, SRG-OS-000473-VMM-001930, SRG-OS-000470-VMM-001900, RHEL-08-030600, 4.1.3.12, SV-230467r627750_rule |
| Description | The audit system already collects login information for all users
and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d in order to watch for attempted manual
edits of files involved in storing logon events:
-w /var/log/lastlog -p wa -k loginsIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file in order to watch for unattempted manual
edits of files involved in storing logon events:
-w /var/log/lastlog -p wa -k logins |
| Rationale | Manual editing of these files may indicate nefarious activity, such
as an attacker attempting to remove evidence of an intrusion. |
audit augenrules oval:ssg-test_audit_rules_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules lastlog oval:ssg-test_arle_lastlog_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/logins.rules | -w /var/log/lastlog -p wa -k logins |
audit auditctl oval:ssg-test_audit_rules_auditctl:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl lastlog oval:ssg-test_arle_lastlog_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -w /var/log/lastlog -p wa -k logins |
Record attempts to alter time through adjtimex
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_time_adjtimex |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_time_adjtimex:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80745-3 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-001487, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.4.2.b, 4.1.3.4 |
| Description | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rulesIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rulesIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rulesIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rulesThe -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules |
| Rationale | Arbitrary changes to the system time can be used to obfuscate
nefarious activities in log files, as well as to confuse network services that
are highly dependent upon an accurate system time (such as sshd). All changes
to the system time should be audited. |
audit augenrules oval:ssg-test_audit_rules_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit adjtimex oval:ssg-test_32bit_art_adjtimex_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/audit_time_rules.rules | -a always,exit -F arch=b32 -S adjtimex -S stime -F key=audit_time_rules |
64 bit architecture oval:ssg-test_system_info_architecture_x86_64:tst:1 true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppc_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_aarch_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_s390_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
audit augenrules 64-bit adjtimex oval:ssg-test_64bit_art_adjtimex_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/audit_time_rules.rules | -a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules |
audit auditctl oval:ssg-test_audit_rules_auditctl:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit adjtimex oval:ssg-test_32bit_art_adjtimex_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b32 -S adjtimex -S stime -F key=audit_time_rules |
64 bit architecture oval:ssg-test_system_info_architecture_x86_64:tst:1 true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppc_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_aarch_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_s390_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
audit auditctl 64-bit adjtimex oval:ssg-test_64bit_art_adjtimex_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules |
Record Attempts to Alter Time Through clock_settime
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_time_clock_settime:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80746-1 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-001487, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.4.2.b, 4.1.3.4 |
| Description | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-changeIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-changeIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-changeIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-changeThe -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules |
| Rationale | Arbitrary changes to the system time can be used to obfuscate
nefarious activities in log files, as well as to confuse network services that
are highly dependent upon an accurate system time (such as sshd). All changes
to the system time should be audited. |
audit augenrules oval:ssg-test_audit_rules_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit clock_settime oval:ssg-test_32bit_art_clock_settime_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/time-change.rules | -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change |
64 bit architecture oval:ssg-test_system_info_architecture_x86_64:tst:1 true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppc_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_aarch_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_s390_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
audit augenrules 64-bit clock_settime oval:ssg-test_64bit_art_clock_settime_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/time-change.rules | -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change |
audit auditctl oval:ssg-test_audit_rules_auditctl:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit clock_settime oval:ssg-test_32bit_art_clock_settime_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change |
64 bit architecture oval:ssg-test_system_info_architecture_x86_64:tst:1 true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppc_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_aarch_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_s390_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
audit auditctl 64-bit clock_settime oval:ssg-test_64bit_art_clock_settime_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change |
Record Attempts to Alter Time Through stime
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_time_stime |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_time_stime:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80748-7 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-001487, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.4.2.b, 4.1.3.4 |
| Description | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d for both 32 bit and 64 bit systems:
-a always,exit -F arch=b32 -S stime -F key=audit_time_rulesSince the 64 bit version of the "stime" system call is not defined in the audit lookup table, the corresponding "-F arch=b64" form of this rule is not expected to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule form itself is sufficient for both 32 bit and 64 bit systems). If the auditd daemon is configured to use the auditctl utility to
read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file for both 32 bit and 64 bit systems:
-a always,exit -F arch=b32 -S stime -F key=audit_time_rulesSince the 64 bit version of the "stime" system call is not defined in the audit lookup table, the corresponding "-F arch=b64" form of this rule is not expected to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule form itself is sufficient for both 32 bit and 64 bit systems). The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined system calls: -a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules |
| Rationale | Arbitrary changes to the system time can be used to obfuscate
nefarious activities in log files, as well as to confuse network services that
are highly dependent upon an accurate system time (such as sshd). All changes
to the system time should be audited. |
32 bit architecture oval:ssg-test_system_info_architecture_x86:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_x86_64:tst:1 true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppc_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_aarch_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_s390_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
audit augenrules oval:ssg-test_audit_rules_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit stime oval:ssg-test_32bit_art_stime_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/audit_time_rules.rules | -a always,exit -F arch=b32 -S adjtimex -S stime -F key=audit_time_rules |
audit auditctl oval:ssg-test_audit_rules_auditctl:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit stime oval:ssg-test_32bit_art_stime_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b32 -S adjtimex -S stime -F key=audit_time_rules |
Record Attempts to Alter the localtime File
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_time_watch_localtime:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80749-5 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-001487, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.4.2.b, 4.1.3.4 |
| Description | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the default),
add the following line to a file with suffix .rules in the directory
/etc/audit/rules.d:
-w /etc/localtime -p wa -k audit_time_rulesIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-w /etc/localtime -p wa -k audit_time_rulesThe -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used. |
| Rationale | Arbitrary changes to the system time can be used to obfuscate
nefarious activities in log files, as well as to confuse network services that
are highly dependent upon an accurate system time (such as sshd). All changes
to the system time should be audited. |
audit augenrules oval:ssg-test_audit_rules_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit /etc/localtime watch augenrules oval:ssg-test_artw_etc_localtime_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/audit_time_rules.rules | -w /etc/localtime -p wa -k audit_time_rules |
audit auditctl oval:ssg-test_audit_rules_auditctl:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit /etc/localtime watch auditctl oval:ssg-test_artw_etc_localtime_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -w /etc/localtime -p wa -k audit_time_rules |
Make the auditd Configuration Immutable
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_immutable |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_immutable:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80708-1 References: 1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO01.06, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.4.3, CCI-000162, CCI-000163, CCI-000164, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.310(a)(2)(iv), 164.312(d), 164.310(d)(2)(iii), 164.312(b), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, ID.SC-4, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.5.2, SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, RHEL-08-030121, 4.1.3.20, SV-230402r627750_rule |
| Description | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d in order to make the auditd configuration
immutable:
-e 2If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file in order to make the auditd configuration
immutable:
-e 2With this setting, a reboot will be required to change any audit rules. |
| Rationale | Making the audit configuration immutable prevents accidental as
well as malicious modification of the audit rules, although it may be
problematic if legitimate changes are needed during system
operation. |
audit augenrules oval:ssg-test_audit_rules_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules configuration locked oval:ssg-test_ari_locked_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/immutable.rules | -e 2 |
audit auditctl oval:ssg-test_audit_rules_auditctl:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl configuration locked oval:ssg-test_ari_locked_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -e 2 |
Record Events that Modify the System's Mandatory Access Controls
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_mac_modification |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_mac_modification:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80721-4 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.8, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 4.1.3.14 |
| Description | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d:
-w /etc/selinux/ -p wa -k MAC-policyIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-w /etc/selinux/ -p wa -k MAC-policy |
| Rationale | The system's mandatory access policy (SELinux) should not be
arbitrarily changed by anything other than administrator action. All changes to
MAC policy should be audited. |
audit augenrules oval:ssg-test_audit_rules_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit selinux changes augenrules oval:ssg-test_armm_selinux_watch_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/MAC-policy.rules | -w /etc/selinux/ -p wa -k MAC-policy |
audit auditctl oval:ssg-test_audit_rules_auditctl:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit selinux changes auditctl oval:ssg-test_armm_selinux_watch_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -w /etc/selinux/ -p wa -k MAC-policy |
Ensure auditd Collects Information on Exporting to Media (successful)
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_media_export |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_media_export:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80722-2 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.2.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, RHEL-08-030302, 4.1.3.10, SV-230425r627750_rule |
| Description | At a minimum, the audit system should collect media exportation
events for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=exportIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export |
| Rationale | The unauthorized exportation of data to external media could result in an information leak
where classified information, Privacy Act information, and intellectual property could be lost. An audit
trail should be created each time a filesystem is mounted to help identify and guard against information
loss. |
audit augenrules oval:ssg-test_audit_rules_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit mount oval:ssg-test_32bit_ardm_mount_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/perm_mod.rules | -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -F key=perm_mod |
64 bit architecture oval:ssg-test_system_info_architecture_x86_64:tst:1 true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppc_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_aarch_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_s390_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
audit augenrules 64-bit mount oval:ssg-test_64bit_ardm_mount_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/perm_mod.rules | -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -F key=perm_mod |
audit auditctl oval:ssg-test_audit_rules_auditctl:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit mount oval:ssg-test_32bit_ardm_mount_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -F key=perm_mod |
64 bit architecture oval:ssg-test_system_info_architecture_x86_64:tst:1 true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppc_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_aarch_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_s390_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
audit auditctl 64-bit mount oval:ssg-test_64bit_ardm_mount_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -F key=perm_mod |
Record Events that Modify the System's Network Environment
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_networkconfig_modification:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80723-0 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.5.5, 4.1.3.5 |
| Description | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modificationIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification -w /etc/issue -p wa -k audit_rules_networkconfig_modification -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification -w /etc/hosts -p wa -k audit_rules_networkconfig_modification -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification |
| Rationale | The network environment should not be modified by anything other
than administrator action. Any change to network parameters should be
audited. |
audit augenrules oval:ssg-test_audit_rules_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit /etc/issue augenrules oval:ssg-test_arnm_etc_issue_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/audit_rules_networkconfig_modification.rules | -w /etc/issue -p wa -k audit_rules_networkconfig_modification |
audit /etc/issue.net augenrules oval:ssg-test_arnm_etc_issue_net_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/audit_rules_networkconfig_modification.rules | -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification |
audit /etc/hosts augenrules oval:ssg-test_arnm_etc_hosts_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/audit_rules_networkconfig_modification.rules | -w /etc/hosts -p wa -k audit_rules_networkconfig_modification |
audit /etc/sysconfig/network augenrules oval:ssg-test_arnm_etc_sysconfig_network_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/audit_rules_networkconfig_modification.rules | -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification |
audit augenrules oval:ssg-test_audit_rules_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit sethostname oval:ssg-test_32bit_ardm_sethostname_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/audit_rules_networkconfig_modification.rules | -a always,exit -F arch=b32 -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification |
64 bit architecture oval:ssg-test_system_info_architecture_x86_64:tst:1 true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppc_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_aarch_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_s390_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
audit augenrules 64-bit sethostname oval:ssg-test_64bit_ardm_sethostname_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/audit_rules_networkconfig_modification.rules | -a always,exit -F arch=b64 -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification |
audit auditctl oval:ssg-test_audit_rules_auditctl:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit sethostname oval:ssg-test_32bit_ardm_sethostname_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b32 -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification |
64 bit architecture oval:ssg-test_system_info_architecture_x86_64:tst:1 true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppc_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_aarch_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_s390_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
audit auditctl 64-bit sethostname oval:ssg-test_64bit_ardm_sethostname_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b64 -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification |
audit augenrules oval:ssg-test_audit_rules_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit setdomainname oval:ssg-test_32bit_ardm_setdomainname_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/audit_rules_networkconfig_modification.rules | -a always,exit -F arch=b32 -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification |
64 bit architecture oval:ssg-test_system_info_architecture_x86_64:tst:1 true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppc_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_aarch_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_s390_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
audit augenrules 64-bit setdomainname oval:ssg-test_64bit_ardm_setdomainname_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/audit_rules_networkconfig_modification.rules | -a always,exit -F arch=b64 -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification |
audit auditctl oval:ssg-test_audit_rules_auditctl:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit setdomainname oval:ssg-test_32bit_ardm_setdomainname_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b32 -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification |
64 bit architecture oval:ssg-test_system_info_architecture_x86_64:tst:1 true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppc_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_aarch_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_s390_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
audit auditctl 64-bit setdomainname oval:ssg-test_64bit_ardm_setdomainname_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b64 -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification |
audit auditctl oval:ssg-test_audit_rules_auditctl:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit /etc/issue auditctl oval:ssg-test_arnm_etc_issue_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -w /etc/issue -p wa -k audit_rules_networkconfig_modification |
audit /etc/issue.net auditctl oval:ssg-test_arnm_etc_issue_net_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -w /etc/issue.net -p wa -k audit_rules_networkconfig_modification |
audit /etc/hosts auditctl oval:ssg-test_arnm_etc_hosts_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -w /etc/hosts -p wa -k audit_rules_networkconfig_modification |
audit /etc/sysconfig/network auditctl oval:ssg-test_arnm_etc_sysconfig_network_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification |
audit augenrules oval:ssg-test_audit_rules_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit sethostname oval:ssg-test_32bit_ardm_sethostname_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/audit_rules_networkconfig_modification.rules | -a always,exit -F arch=b32 -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification |
64 bit architecture oval:ssg-test_system_info_architecture_x86_64:tst:1 true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppc_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_aarch_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_s390_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
audit augenrules 64-bit sethostname oval:ssg-test_64bit_ardm_sethostname_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/audit_rules_networkconfig_modification.rules | -a always,exit -F arch=b64 -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification |
audit auditctl oval:ssg-test_audit_rules_auditctl:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit sethostname oval:ssg-test_32bit_ardm_sethostname_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b32 -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification |
64 bit architecture oval:ssg-test_system_info_architecture_x86_64:tst:1 true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppc_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_aarch_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_s390_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
audit auditctl 64-bit sethostname oval:ssg-test_64bit_ardm_sethostname_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b64 -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification |
audit augenrules oval:ssg-test_audit_rules_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules 32-bit setdomainname oval:ssg-test_32bit_ardm_setdomainname_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/audit_rules_networkconfig_modification.rules | -a always,exit -F arch=b32 -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification |
64 bit architecture oval:ssg-test_system_info_architecture_x86_64:tst:1 true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppc_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_aarch_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_s390_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
audit augenrules 64-bit setdomainname oval:ssg-test_64bit_ardm_setdomainname_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/audit_rules_networkconfig_modification.rules | -a always,exit -F arch=b64 -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification |
audit auditctl oval:ssg-test_audit_rules_auditctl:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl 32-bit setdomainname oval:ssg-test_32bit_ardm_setdomainname_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b32 -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification |
64 bit architecture oval:ssg-test_system_info_architecture_x86_64:tst:1 true
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppc_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_ppcle_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_aarch_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
64 bit architecture oval:ssg-test_system_info_architecture_s390_64:tst:1 false
Following items have been found on the system:
| Machine class | Node name | Os name | Os release | Os version | Processor type |
|---|---|---|---|---|---|
| x86_64 | ciclvl2-rhel84 | Linux | 4.18.0-305.40.1.el8_4.x86_64 | #1 SMP Tue Feb 22 07:56:15 EST 2022 | x86_64 |
audit auditctl 64-bit setdomainname oval:ssg-test_64bit_ardm_setdomainname_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -a always,exit -F arch=b64 -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification |
Record Attempts to Alter Process and Session Initiation Information
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_session_events |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-audit_rules_session_events:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80742-0 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, 0582, 0584, 05885, 0586, 0846, 0957, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.3, 4.1.3.11 |
| Description | The audit system already collects process information for all
users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d in order to watch for attempted manual
edits of files involved in storing such process information:
-w /var/run/utmp -p wa -k session -w /var/log/btmp -p wa -k session -w /var/log/wtmp -p wa -k sessionIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file in order to watch for attempted manual
edits of files involved in storing such process information:
-w /var/run/utmp -p wa -k session -w /var/log/btmp -p wa -k session -w /var/log/wtmp -p wa -k session |
| Rationale | Manual editing of these files may indicate nefarious activity, such
as an attacker attempting to remove evidence of an intrusion. |
audit augenrules oval:ssg-test_audit_rules_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules utmp oval:ssg-test_arse_utmp_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/session.rules | -w /var/run/utmp -p wa -k session |
audit augenrules btmp oval:ssg-test_arse_btmp_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/session.rules | -w /var/log/btmp -p wa -k session |
audit augenrules wtmp oval:ssg-test_arse_wtmp_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/session.rules | -w /var/log/wtmp -p wa -k session |
audit auditctl oval:ssg-test_audit_rules_auditctl:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl utmp oval:ssg-test_arse_utmp_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -w /var/run/utmp -p wa -k session |
audit auditctl btmp oval:ssg-test_arse_btmp_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -w /var/log/btmp -p wa -k session |
audit auditctl wtmp oval:ssg-test_arse_wtmp_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -w /var/log/wtmp -p wa -k session |
Ensure auditd Collects System Administrator Actions
audit augenrules oval:ssg-test_audit_rules_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules sudoers oval:ssg-test_audit_rules_sysadmin_actions_sudoers_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/actions.rules | -w /etc/sudoers -p wa -k actions |
audit augenrules sudoers oval:ssg-test_audit_rules_sysadmin_actions_sudoers_d_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/actions.rules | -w /etc/sudoers.d/ -p wa -k actions |
audit auditctl oval:ssg-test_audit_rules_auditctl:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit auditctl sudoers oval:ssg-test_audit_rules_sysadmin_actions_sudoers_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -w /etc/sudoers -p wa -k actions |
audit auditctl sudoers oval:ssg-test_audit_rules_sysadmin_actions_sudoers_d_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -w /etc/sudoers.d/ -p wa -k actions |
Record Events that Modify User/Group Information - /etc/group
audit augenrules oval:ssg-test_audit_rules_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules group oval:ssg-test_audit_rules_usergroup_modification_group_augen:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/audit_rules_usergroup_modification.rules | -w /etc/group -p wa -k audit_rules_usergroup_modification |
audit auditctl oval:ssg-test_audit_rules_auditctl:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit group oval:ssg-test_audit_rules_usergroup_modification_group_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -w /etc/group -p wa -k audit_rules_usergroup_modification |
Record Events that Modify User/Group Information - /etc/gshadow
audit augenrules oval:ssg-test_audit_rules_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules gshadow oval:ssg-test_audit_rules_usergroup_modification_gshadow_augen:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/audit_rules_usergroup_modification.rules | -w /etc/gshadow -p wa -k audit_rules_usergroup_modification |
audit auditctl oval:ssg-test_audit_rules_auditctl:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit gshadow oval:ssg-test_audit_rules_usergroup_modification_gshadow_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -w /etc/gshadow -p wa -k audit_rules_usergroup_modification |
Record Events that Modify User/Group Information - /etc/security/opasswd
audit augenrules oval:ssg-test_audit_rules_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules opasswd oval:ssg-test_audit_rules_usergroup_modification_opasswd_augen:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/audit_rules_usergroup_modification.rules | -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification |
audit auditctl oval:ssg-test_audit_rules_auditctl:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit opasswd oval:ssg-test_audit_rules_usergroup_modification_opasswd_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification |
Record Events that Modify User/Group Information - /etc/passwd
audit augenrules oval:ssg-test_audit_rules_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules passwd oval:ssg-test_audit_rules_usergroup_modification_passwd_augen:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/audit_rules_usergroup_modification.rules | -w /etc/passwd -p wa -k audit_rules_usergroup_modification |
audit auditctl oval:ssg-test_audit_rules_auditctl:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit passwd oval:ssg-test_audit_rules_usergroup_modification_passwd_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -w /etc/passwd -p wa -k audit_rules_usergroup_modification |
Record Events that Modify User/Group Information - /etc/shadow
audit augenrules oval:ssg-test_audit_rules_augenrules:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /usr/lib/systemd/system/auditd.service | ExecStartPost=-/sbin/augenrules --load |
audit augenrules shadow oval:ssg-test_audit_rules_usergroup_modification_shadow_augen:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/rules.d/audit_rules_usergroup_modification.rules | -w /etc/shadow -p wa -k audit_rules_usergroup_modification |
audit auditctl oval:ssg-test_audit_rules_auditctl:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /usr/lib/systemd/system/auditd.service | ^ExecStartPost=\-\/sbin\/auditctl.*$ | 1 |
audit shadow oval:ssg-test_audit_rules_usergroup_modification_shadow_auditctl:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/audit.rules | -w /etc/shadow -p wa -k audit_rules_usergroup_modification |
Configure auditd mail_acct Action on Low Disk Space
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-auditd_data_retention_action_mail_acct:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80678-6 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, 3.3.1, CCI-000139, CCI-001855, 164.312(a)(2)(ii), 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, CIP-003-8 R1.3, CIP-003-8 R3, CIP-003-8 R3.1, CIP-003-8 R3.2, CIP-003-8 R3.3, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, IA-5(1), AU-5(a), AU-5(2), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.7.a, SRG-OS-000046-GPOS-00022, SRG-OS-000343-GPOS-00134, SRG-OS-000046-VMM-000210, SRG-OS-000343-VMM-001240, RHEL-08-030020, 4.1.2.3, SV-230388r627750_rule |
| Description | The auditd service can be configured to send email to
a designated account in certain situations. Add or correct the following line
in /etc/audit/auditd.conf to ensure that administrators are notified
via email for those situations:
action_mail_acct = root |
| Rationale | Email sent to the root account is typically aliased to the
administrators of the system, who can take appropriate action. |
email account for actions oval:ssg-test_auditd_data_retention_action_mail_acct:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/auditd.conf | action_mail_acct = root |
Configure auditd admin_space_left Action on Low Disk Space
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-auditd_data_retention_admin_space_left_action:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80679-4 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, 3.3.1, CCI-000140, CCI-001343, CCI-001855, 164.312(a)(2)(ii), 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.7, SRG-OS-000343-GPOS-00134, 4.1.2.3 |
| Description | The auditd service can be configured to take an action
when disk space is running low but prior to running out of space completely.
Edit the file /etc/audit/auditd.conf. Add or modify the following line,
substituting ACTION appropriately:
admin_space_left_action = ACTIONSet this value to single to cause the system to switch to single user
mode for corrective action. Acceptable values also include suspend and
halt. For certain systems, the need for availability
outweighs the need to log all actions, and a different setting should be
determined. Details regarding all possible values for ACTION are described in the
auditd.conf man page. |
| Rationale | Administrators should be made aware of an inability to record
audit records. If a separate partition or logical volume of adequate size
is used, running low on space for audit records should never occur. |
space left action oval:ssg-test_auditd_data_retention_admin_space_left_action:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/auditd.conf | admin_space_left_action = halt |
Configure auditd Max Log File Size
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-auditd_data_retention_max_log_file:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80681-0 References: 1, 11, 12, 13, 14, 15, 16, 19, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, CIP-004-6 R2.2.3, CIP-004-6 R3.3, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, CIP-007-3 R6.5, AU-11, CM-6(a), DE.AE-3, DE.AE-5, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.7, 4.1.2.1 |
| Description | Determine the amount of audit data (in megabytes)
which should be retained in each log file. Edit the file
/etc/audit/auditd.conf. Add or modify the following line, substituting
the correct value of 6 for STOREMB:
max_log_file = STOREMBSet the value to 6 (MB) or higher for general-purpose systems.
Larger values, of course,
support retention of even more audit data. |
| Rationale | The total storage for audit log files must be large enough to retain
log information over the period required. This is a function of the maximum
log file size and the number of logs retained. |
max log file size oval:ssg-test_auditd_data_retention_max_log_file:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/auditd.conf | max_log_file = 6 |
Configure auditd max_log_file_action Upon Reaching Maximum Log Size
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-auditd_data_retention_max_log_file_action:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80682-8 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, CCI-000140, 164.312(a)(2)(ii), 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.7, SRG-OS-000047-GPOS-00023, 4.1.2.2 |
| Description | The default action to take when the logs reach their maximum size
is to rotate the log files, discarding the oldest one. To configure the action taken
by auditd, add or correct the line in /etc/audit/auditd.conf:
max_log_file_action = ACTIONPossible values for ACTION are described in the auditd.conf man
page. These include:
ACTION to rotate to ensure log rotation
occurs. This is the default. The setting is case-insensitive. |
| Rationale | Automatically rotating logs (by setting this to rotate)
minimizes the chances of the system unexpectedly running out of disk space by
being overwhelmed with log data. However, for systems that must never discard
log data, or which use external processes to transfer it and reclaim space,
keep_logs can be employed. |
admin space left action oval:ssg-test_auditd_data_retention_max_log_file_action:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/auditd.conf | max_log_file_action = keep_logs |
Configure auditd space_left Action on Low Disk Space
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-auditd_data_retention_space_left_action:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80684-4 References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, 3.3.1, CCI-001855, 164.312(a)(2)(ii), 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.7, SRG-OS-000343-GPOS-00134, SRG-OS-000343-VMM-001240, RHEL-08-030731, 4.1.2.3, SV-244543r743878_rule |
| Description | The auditd service can be configured to take an action
when disk space starts to run low.
Edit the file /etc/audit/auditd.conf. Modify the following line,
substituting ACTION appropriately:
space_left_action = ACTIONPossible values for ACTION are described in the auditd.conf man page.
These include:
email (instead of the default,
which is suspend) as it is more likely to get prompt attention. Acceptable values
also include suspend, single, and halt. |
| Rationale | Notifying administrators of an impending disk space problem may
allow them to take corrective action prior to any disruption. |
space left action oval:ssg-test_auditd_data_retention_space_left_action:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/audit/auditd.conf | space_left_action = email |
Ensure the audit Subsystem is Installed
package audit is installed oval:ssg-test_package_audit_installed:tst:1 true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| audit | x86_64 | (none) | 0.17.20191104git1c2f876.el8 | 3.0 | 0:3.0-0.17.20191104git1c2f876.el8 | 199e2f91fd431d51 | audit-0:3.0-0.17.20191104git1c2f876.el8.x86_64 |
Enable auditd Service
package audit is installed oval:ssg-test_service_auditd_package_audit_installed:tst:1 true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| audit | x86_64 | (none) | 0.17.20191104git1c2f876.el8 | 3.0 | 0:3.0-0.17.20191104git1c2f876.el8 | 199e2f91fd431d51 | audit-0:3.0-0.17.20191104git1c2f876.el8.x86_64 |
Test that the auditd service is running oval:ssg-test_service_running_auditd:tst:1 true
Following items have been found on the system:
| Unit | Property | Value |
|---|---|---|
| auditd.service | ActiveState | active |
systemd test oval:ssg-test_multi_user_wants_auditd:tst:1 true
Following items have been found on the system:
| Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| multi-user.target | basic.target | var.mount | -.mount | sysinit.target | dev-hugepages.mount | systemd-ask-password-console.path | sys-kernel-debug.mount | rngd.service | iscsi-onboot.service | systemd-udevd.service | lvm2-lvmpolld.socket | systemd-modules-load.service | cryptsetup.target | selinux-autorelabel-mark.service | systemd-update-done.service | dracut-shutdown.service | systemd-journal-catalog-update.service | multipathd.service | systemd-hwdb-update.service | systemd-sysctl.service | dev-mqueue.mount | import-state.service | systemd-update-utmp.service | nis-domainname.service | swap.target | lvm2-monitor.service | systemd-journald.service | systemd-tmpfiles-setup.service | systemd-tmpfiles-setup-dev.service | proc-sys-fs-binfmt_misc.automount | loadmodules.service | systemd-binfmt.service | kmod-static-nodes.service | systemd-journal-flush.service | systemd-machine-id-commit.service | sys-fs-fuse-connections.mount | sys-kernel-config.mount | ldconfig.service | systemd-udev-trigger.service | systemd-firstboot.service | local-fs.target | boot.mount | usr.mount | home.mount | tmp.mount | boot-efi.mount | mnt.mount | systemd-remount-fs.service | systemd-random-seed.service | systemd-sysusers.service | timers.target | unbound-anchor.timer | dnf-makecache.timer | systemd-tmpfiles-clean.timer | mlocate-updatedb.timer | sockets.target | systemd-journald.socket | dbus.socket | iscsiuio.socket | sssd-kcm.socket | dm-event.socket | systemd-journald-dev-log.socket | multipathd.socket | iscsid.socket | systemd-udevd-control.socket | systemd-udevd-kernel.socket | systemd-initctl.socket | systemd-coredump.socket | paths.target | slices.target | -.slice | system.slice | smartd.service | NetworkManager.service | nftables.service | waagent.service | libstoragemgmt.service | vdo.service | tuned.service | rhsmcertd.service | dbus.service | systemd-update-utmp-runlevel.service | chronyd.service | firewalld.service | kdump.service | remote-fs.target | iscsi.service | sshd.service | crond.service | systemd-ask-password-wall.path | getty.target | getty@tty1.service | serial-getty@ttyS0.service | mdmonitor.service | systemd-user-sessions.service | systemd-logind.service | auditd.service | systemd-resolved.service | cloud-init.target | cloud-init-local.service | cloud-init.service | cloud-config.service | cloud-final.service | mcelog.service | sssd.service | rsyslog.service | atd.service | irqbalance.service |
systemd test oval:ssg-test_multi_user_wants_auditd_socket:tst:1 false
Following items have been found on the system:
| Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| multi-user.target | basic.target | var.mount | -.mount | sysinit.target | dev-hugepages.mount | systemd-ask-password-console.path | sys-kernel-debug.mount | rngd.service | iscsi-onboot.service | systemd-udevd.service | lvm2-lvmpolld.socket | systemd-modules-load.service | cryptsetup.target | selinux-autorelabel-mark.service | systemd-update-done.service | dracut-shutdown.service | systemd-journal-catalog-update.service | multipathd.service | systemd-hwdb-update.service | systemd-sysctl.service | dev-mqueue.mount | import-state.service | systemd-update-utmp.service | nis-domainname.service | swap.target | lvm2-monitor.service | systemd-journald.service | systemd-tmpfiles-setup.service | systemd-tmpfiles-setup-dev.service | proc-sys-fs-binfmt_misc.automount | loadmodules.service | systemd-binfmt.service | kmod-static-nodes.service | systemd-journal-flush.service | systemd-machine-id-commit.service | sys-fs-fuse-connections.mount | sys-kernel-config.mount | ldconfig.service | systemd-udev-trigger.service | systemd-firstboot.service | local-fs.target | boot.mount | usr.mount | home.mount | tmp.mount | boot-efi.mount | mnt.mount | systemd-remount-fs.service | systemd-random-seed.service | systemd-sysusers.service | timers.target | unbound-anchor.timer | dnf-makecache.timer | systemd-tmpfiles-clean.timer | mlocate-updatedb.timer | sockets.target | systemd-journald.socket | dbus.socket | iscsiuio.socket | sssd-kcm.socket | dm-event.socket | systemd-journald-dev-log.socket | multipathd.socket | iscsid.socket | systemd-udevd-control.socket | systemd-udevd-kernel.socket | systemd-initctl.socket | systemd-coredump.socket | paths.target | slices.target | -.slice | system.slice | smartd.service | NetworkManager.service | nftables.service | waagent.service | libstoragemgmt.service | vdo.service | tuned.service | rhsmcertd.service | dbus.service | systemd-update-utmp-runlevel.service | chronyd.service | firewalld.service | kdump.service | remote-fs.target | iscsi.service | sshd.service | crond.service | systemd-ask-password-wall.path | getty.target | getty@tty1.service | serial-getty@ttyS0.service | mdmonitor.service | systemd-user-sessions.service | systemd-logind.service | auditd.service | systemd-resolved.service | cloud-init.target | cloud-init-local.service | cloud-init.service | cloud-config.service | cloud-final.service | mcelog.service | sssd.service | rsyslog.service | atd.service | irqbalance.service |
Enable Auditing for Processes Which Start Prior to the Audit Daemon
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_audit_argument |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-grub2_audit_argument:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80825-3 References: 1, 11, 12, 13, 14, 15, 16, 19, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.02, DSS05.03, DSS05.04, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, CCI-001464, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AC-17(1), AU-14(1), AU-10, CM-6(a), IR-5(1), DE.AE-3, DE.AE-5, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.3, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000473-GPOS-00218, SRG-OS-000254-GPOS-00095, SRG-OS-000254-VMM-000880, RHEL-08-030601, 4.1.1.3, SV-230468r792904_rule |
| Description | To ensure all processes can be audited, even those which start
prior to the audit daemon, add the argument audit=1 to the default
GRUB 2 command line for the Linux operating system.
To ensure that audit=1 is added as a kernel command line
argument to newly installed kernels, add audit=1 to the
default Grub2 command line for Linux operating systems. Modify the line within
/etc/default/grub as shown below:
GRUB_CMDLINE_LINUX="... audit=1 ..."Run the following command to update command line for already installed kernels: # grubby --update-kernel=ALL --args="audit=1" |
| Rationale | Each process on the system carries an "auditable" flag which indicates whether
its activities can be audited. Although auditd takes care of enabling
this for all processes which launch after it does, adding the kernel argument
ensures it is set for every process during boot. |
check for kernel command line parameters audit=1 in /boot/grub2/grubenv for all kernels oval:ssg-test_grub2_audit_argument_grub_env:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /boot/grub2/grubenv | kernelopts=root=/dev/mapper/rootvg-rootlv ro loglevel=3 crashkernel=auto console=tty1 console=ttyS0 earlyprintk=ttyS0 rootdelay=300 audit=1 audit_backlog_limit=8192 |
check for kernel command line parameters audit=1 in /boot/efi/EFI/redhat/grubenv for all kernels oval:ssg-test_grub2_audit_argument_grub_env_uefi:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_audit_argument_grub_env_uefi:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /boot/efi/EFI/redhat/grubenv | ^kernelopts=(.*)$ | 1 |
check kernel command line parameters for referenced boot entries reference the $kernelopts variable. oval:ssg-test_grub2_entries_reference_kernelopts:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /boot/loader/entries/a869311b25bb46a1be50f74b6ac7f4b9-4.18.0-305.40.1.el8_4.x86_64.conf | options $kernelopts $tuned_params |
| /boot/loader/entries/a869311b25bb46a1be50f74b6ac7f4b9-4.18.0-305.el8.x86_64.conf | options $kernelopts $tuned_params |
check for audit=1 in /etc/default/grub via GRUB_CMDLINE_LINUX oval:ssg-test_grub2_audit_argument:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/default/grub | GRUB_CMDLINE_LINUX="loglevel=3 crashkernel=auto console=tty1 console=ttyS0 earlyprintk=ttyS0 rootdelay=300 audit=1 audit_backlog_limit=8192" |
check for audit=1 in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT oval:ssg-test_grub2_audit_argument_default:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_audit_argument_default:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/default/grub | ^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$ | 1 |
Check for GRUB_DISABLE_RECOVERY=true in /etc/default/grub oval:ssg-test_bootloader_disable_recovery_set_to_true:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/default/grub | GRUB_DISABLE_RECOVERY="true" |
Extend Audit Backlog Limit for the Audit Daemon
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-grub2_audit_backlog_limit_argument:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | low |
| Identifiers and References | Identifiers: CCE-80943-4 References: CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-001849, CCI-002884, CM-6(a), FAU_STG.1, FAU_STG.3, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000254-GPOS-00095, SRG-OS-000341-GPOS-00132, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, RHEL-08-030602, 4.1.1.4, SV-230469r792906_rule |
| Description | To improve the kernel capacity to queue all log events, even those which occurred
prior to the audit daemon, add the argument audit_backlog_limit=8192 to the default
GRUB 2 command line for the Linux operating system.
To ensure that audit_backlog_limit=8192 is added as a kernel command line
argument to newly installed kernels, add audit_backlog_limit=8192 to the
default Grub2 command line for Linux operating systems. Modify the line within
/etc/default/grub as shown below:
GRUB_CMDLINE_LINUX="... audit_backlog_limit=8192 ..."Run the following command to update command line for already installed kernels: # grubby --update-kernel=ALL --args="audit_backlog_limit=8192" |
| Rationale | audit_backlog_limit sets the queue length for audit events awaiting transfer
to the audit daemon. Until the audit daemon is up and running, all log messages
are stored in this queue. If the queue is overrun during boot process, the action
defined by audit failure flag is taken. |
check for kernel command line parameters audit_backlog_limit=8192 in /boot/grub2/grubenv for all kernels oval:ssg-test_grub2_audit_backlog_limit_argument_grub_env:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /boot/grub2/grubenv | kernelopts=root=/dev/mapper/rootvg-rootlv ro loglevel=3 crashkernel=auto console=tty1 console=ttyS0 earlyprintk=ttyS0 rootdelay=300 audit=1 audit_backlog_limit=8192 |
check for kernel command line parameters audit_backlog_limit=8192 in /boot/efi/EFI/redhat/grubenv for all kernels oval:ssg-test_grub2_audit_backlog_limit_argument_grub_env_uefi:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_audit_backlog_limit_argument_grub_env_uefi:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /boot/efi/EFI/redhat/grubenv | ^kernelopts=(.*)$ | 1 |
check kernel command line parameters for referenced boot entries reference the $kernelopts variable. oval:ssg-test_grub2_entries_reference_kernelopts:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /boot/loader/entries/a869311b25bb46a1be50f74b6ac7f4b9-4.18.0-305.40.1.el8_4.x86_64.conf | options $kernelopts $tuned_params |
| /boot/loader/entries/a869311b25bb46a1be50f74b6ac7f4b9-4.18.0-305.el8.x86_64.conf | options $kernelopts $tuned_params |
check for audit_backlog_limit=8192 in /etc/default/grub via GRUB_CMDLINE_LINUX oval:ssg-test_grub2_audit_backlog_limit_argument:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/default/grub | GRUB_CMDLINE_LINUX="loglevel=3 crashkernel=auto console=tty1 console=ttyS0 earlyprintk=ttyS0 rootdelay=300 audit=1 audit_backlog_limit=8192" |
check for audit_backlog_limit=8192 in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT oval:ssg-test_grub2_audit_backlog_limit_argument_default:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_audit_backlog_limit_argument_default:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/default/grub | ^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$ | 1 |
Check for GRUB_DISABLE_RECOVERY=true in /etc/default/grub oval:ssg-test_bootloader_disable_recovery_set_to_true:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/default/grub | GRUB_DISABLE_RECOVERY="true" |
Verify /boot/grub2/grub.cfg Group Ownership
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_grub2_cfg |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80800-6 References: 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.4.5, CCI-000225, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-7.1, SRG-OS-000480-GPOS-00227, 1.4.2 |
| Description | The file /boot/grub2/grub.cfg should
be group-owned by the root group to prevent
destruction or modification of the file.
To properly set the group owner of /boot/grub2/grub.cfg, run the command:
$ sudo chgrp root /boot/grub2/grub.cfg |
| Rationale | The root group is a highly-privileged group. Furthermore, the group-owner of this
file should not have any access privileges anyway. |
Verify /boot/grub2/grub.cfg User Ownership
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80805-5 References: 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.4.5, CCI-000225, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-7.1, 1.4.2 |
| Description | The file /boot/grub2/grub.cfg should
be owned by the root user to prevent destruction
or modification of the file.
To properly set the owner of /boot/grub2/grub.cfg, run the command:
$ sudo chown root /boot/grub2/grub.cfg |
| Rationale | Only root should be able to modify important boot parameters. |
Set Boot Loader Password in grub2
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_password |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | high |
| Identifiers and References | Identifiers: CCE-80828-7 References: BP28(R17), 1, 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.PT-3, FIA_UAU.1, SRG-OS-000080-GPOS-00048, RHEL-08-010150, 1.4.1, SV-230235r743925_rule |
| Description | The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
Since plaintext passwords are a security risk, generate a hash for the password by running the following command: # grub2-setpasswordWhen prompted, enter the password that was selected. |
| Rationale | Password protection on the boot loader configuration ensures
users with physical access cannot trivially alter
important bootloader settings. These include which kernel to use,
and whether to enter single-user mode. |
| Warnings | warning
To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation
must be automated as a component of machine provisioning, or followed manually as outlined above.
Also, do NOT manually add the superuser account and password to the
grub.cfg file as the grub2-mkconfig command overwrites this file. |
Verify the UEFI Boot Loader grub.cfg Group Ownership
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_efi_grub2_cfg |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_groupowner_efi_grub2_cfg:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-85915-7 References: 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.4.5, CCI-000225, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-7.1, 1.4.2 |
| Description | The file /boot/efi/EFI/redhat/grub.cfg should
be group-owned by the root group to prevent
destruction or modification of the file.
To properly set the group owner of /boot/efi/EFI/redhat/grub.cfg, run the command:
$ sudo chgrp root /boot/efi/EFI/redhat/grub.cfg |
| Rationale | The root group is a highly-privileged group. Furthermore, the group-owner of this
file should not have any access privileges anyway. |
Testing group ownership of /boot/efi/EFI/redhat/grub.cfg oval:ssg-test_file_groupowner_efi_grub2_cfg_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_efi_grub2_cfg_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| /boot/efi/EFI/redhat/grub.cfg | oval:ssg-symlink_file_groupowner_efi_grub2_cfg_uid_0:ste:1 | oval:ssg-state_file_groupowner_efi_grub2_cfg_gid_0_0:ste:1 |
Verify the UEFI Boot Loader grub.cfg User Ownership
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_efi_grub2_cfg |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_owner_efi_grub2_cfg:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-85913-2 References: 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.4.5, CCI-000225, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-7.1, 1.4.2 |
| Description | The file /boot/efi/EFI/redhat/grub.cfg should
be owned by the root user to prevent destruction
or modification of the file.
To properly set the owner of /boot/efi/EFI/redhat/grub.cfg, run the command:
$ sudo chown root /boot/efi/EFI/redhat/grub.cfg |
| Rationale | Only root should be able to modify important boot parameters. |
Testing user ownership of /boot/efi/EFI/redhat/grub.cfg oval:ssg-test_file_owner_efi_grub2_cfg_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_efi_grub2_cfg_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| /boot/efi/EFI/redhat/grub.cfg | oval:ssg-symlink_file_owner_efi_grub2_cfg_uid_0:ste:1 | oval:ssg-state_file_owner_efi_grub2_cfg_uid_0_0:ste:1 |
Set the UEFI Boot Loader Password
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_uefi_password |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-grub2_uefi_password:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | high |
| Identifiers and References | Identifiers: CCE-80829-5 References: BP28(R17), 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.03, DSS06.06, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), PR.AC-4, PR.AC-6, PR.PT-3, FIA_UAU.1, SRG-OS-000080-GPOS-00048, RHEL-08-010140, 1.4.1, SV-230234r743922_rule |
| Description | The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
Since plaintext passwords are a security risk, generate a hash for the password by running the following command: # grub2-setpasswordWhen prompted, enter the password that was selected. |
| Rationale | Password protection on the boot loader configuration ensures
users with physical access cannot trivially alter
important bootloader settings. These include which kernel to use,
and whether to enter single-user mode. |
| Warnings | warning
To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation
must be automated as a component of machine provisioning, or followed manually as outlined above.
Also, do NOT manually add the superuser account and password to the
grub.cfg file as the grub2-mkconfig command overwrites this file. |
make sure a password is defined in /boot/efi/EFI/redhat/user.cfg oval:ssg-test_grub2_uefi_password_usercfg:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_uefi_password_usercfg:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /boot/efi/EFI/redhat/user.cfg | ^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$ | 1 |
Enable systemd-journald Service
| Rule ID | xccdf_org.ssgproject.content_rule_service_systemd-journald_enabled |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-service_systemd-journald_enabled:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-85921-5 References: CCI-001665, SC-24, SRG-OS-000269-GPOS-00103, 4.2.2.2 |
| Description | The systemd-journald service is an essential component of
systemd.
The systemd-journald service can be enabled with the following command:
$ sudo systemctl enable systemd-journald.service |
| Rationale | In the event of a system failure, Red Hat Enterprise Linux 8 must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to system processes. |
package systemd is installed oval:ssg-test_service_systemd-journald_package_systemd_installed:tst:1 true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| systemd | x86_64 | (none) | 45.el8_4.8 | 239 | 0:239-45.el8_4.8 | 199e2f91fd431d51 | systemd-0:239-45.el8_4.8.x86_64 |
Test that the systemd-journald service is running oval:ssg-test_service_running_systemd-journald:tst:1 true
Following items have been found on the system:
| Unit | Property | Value |
|---|---|---|
| systemd-journald.service | ActiveState | active |
| systemd-journald.socket | ActiveState | active |
systemd test oval:ssg-test_multi_user_wants_systemd-journald:tst:1 true
Following items have been found on the system:
| Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| multi-user.target | basic.target | var.mount | -.mount | sysinit.target | dev-hugepages.mount | systemd-ask-password-console.path | sys-kernel-debug.mount | rngd.service | iscsi-onboot.service | systemd-udevd.service | lvm2-lvmpolld.socket | systemd-modules-load.service | cryptsetup.target | selinux-autorelabel-mark.service | systemd-update-done.service | dracut-shutdown.service | systemd-journal-catalog-update.service | multipathd.service | systemd-hwdb-update.service | systemd-sysctl.service | dev-mqueue.mount | import-state.service | systemd-update-utmp.service | nis-domainname.service | swap.target | lvm2-monitor.service | systemd-journald.service | systemd-tmpfiles-setup.service | systemd-tmpfiles-setup-dev.service | proc-sys-fs-binfmt_misc.automount | loadmodules.service | systemd-binfmt.service | kmod-static-nodes.service | systemd-journal-flush.service | systemd-machine-id-commit.service | sys-fs-fuse-connections.mount | sys-kernel-config.mount | ldconfig.service | systemd-udev-trigger.service | systemd-firstboot.service | local-fs.target | boot.mount | usr.mount | home.mount | tmp.mount | boot-efi.mount | mnt.mount | systemd-remount-fs.service | systemd-random-seed.service | systemd-sysusers.service | timers.target | unbound-anchor.timer | dnf-makecache.timer | systemd-tmpfiles-clean.timer | mlocate-updatedb.timer | sockets.target | systemd-journald.socket | dbus.socket | iscsiuio.socket | sssd-kcm.socket | dm-event.socket | systemd-journald-dev-log.socket | multipathd.socket | iscsid.socket | systemd-udevd-control.socket | systemd-udevd-kernel.socket | systemd-initctl.socket | systemd-coredump.socket | paths.target | slices.target | -.slice | system.slice | smartd.service | NetworkManager.service | nftables.service | waagent.service | libstoragemgmt.service | vdo.service | tuned.service | rhsmcertd.service | dbus.service | systemd-update-utmp-runlevel.service | chronyd.service | firewalld.service | kdump.service | remote-fs.target | iscsi.service | sshd.service | crond.service | systemd-ask-password-wall.path | getty.target | getty@tty1.service | serial-getty@ttyS0.service | mdmonitor.service | systemd-user-sessions.service | systemd-logind.service | auditd.service | systemd-resolved.service | cloud-init.target | cloud-init-local.service | cloud-init.service | cloud-config.service | cloud-final.service | mcelog.service | sssd.service | rsyslog.service | atd.service | irqbalance.service |
systemd test oval:ssg-test_multi_user_wants_systemd-journald_socket:tst:1 true
Following items have been found on the system:
| Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| multi-user.target | basic.target | var.mount | -.mount | sysinit.target | dev-hugepages.mount | systemd-ask-password-console.path | sys-kernel-debug.mount | rngd.service | iscsi-onboot.service | systemd-udevd.service | lvm2-lvmpolld.socket | systemd-modules-load.service | cryptsetup.target | selinux-autorelabel-mark.service | systemd-update-done.service | dracut-shutdown.service | systemd-journal-catalog-update.service | multipathd.service | systemd-hwdb-update.service | systemd-sysctl.service | dev-mqueue.mount | import-state.service | systemd-update-utmp.service | nis-domainname.service | swap.target | lvm2-monitor.service | systemd-journald.service | systemd-tmpfiles-setup.service | systemd-tmpfiles-setup-dev.service | proc-sys-fs-binfmt_misc.automount | loadmodules.service | systemd-binfmt.service | kmod-static-nodes.service | systemd-journal-flush.service | systemd-machine-id-commit.service | sys-fs-fuse-connections.mount | sys-kernel-config.mount | ldconfig.service | systemd-udev-trigger.service | systemd-firstboot.service | local-fs.target | boot.mount | usr.mount | home.mount | tmp.mount | boot-efi.mount | mnt.mount | systemd-remount-fs.service | systemd-random-seed.service | systemd-sysusers.service | timers.target | unbound-anchor.timer | dnf-makecache.timer | systemd-tmpfiles-clean.timer | mlocate-updatedb.timer | sockets.target | systemd-journald.socket | dbus.socket | iscsiuio.socket | sssd-kcm.socket | dm-event.socket | systemd-journald-dev-log.socket | multipathd.socket | iscsid.socket | systemd-udevd-control.socket | systemd-udevd-kernel.socket | systemd-initctl.socket | systemd-coredump.socket | paths.target | slices.target | -.slice | system.slice | smartd.service | NetworkManager.service | nftables.service | waagent.service | libstoragemgmt.service | vdo.service | tuned.service | rhsmcertd.service | dbus.service | systemd-update-utmp-runlevel.service | chronyd.service | firewalld.service | kdump.service | remote-fs.target | iscsi.service | sshd.service | crond.service | systemd-ask-password-wall.path | getty.target | getty@tty1.service | serial-getty@ttyS0.service | mdmonitor.service | systemd-user-sessions.service | systemd-logind.service | auditd.service | systemd-resolved.service | cloud-init.target | cloud-init-local.service | cloud-init.service | cloud-config.service | cloud-final.service | mcelog.service | sssd.service | rsyslog.service | atd.service | irqbalance.service |
Ensure journald is configured to compress large log files
| Rule ID | xccdf_org.ssgproject.content_rule_journald_compress |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-journald_compress:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-85930-6 References: 4.2.2.3 |
| Description | The journald system can compress large log files to avoid fill the system disk. |
| Rationale | Log files that are not properly compressed run the risk of growing so large that they fill up the log partition. Valuable logging information could be lost if the log partition becomes full. |
tests the value of Compress setting in the /etc/systemd/journald.conf file oval:ssg-test_journald_compress:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/systemd/journald.conf | Compress="yes" |
Ensure journald is configured to send logs to rsyslog
| Rule ID | xccdf_org.ssgproject.content_rule_journald_forward_to_syslog |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-journald_forward_to_syslog:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-85995-9 References: 4.2.1.3 |
| Description | Data from journald may be stored in volatile memory or persisted locally.
Utilities exist to accept remote export of journald logs. |
| Rationale | Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system. |
tests the value of ForwardToSyslog setting in the /etc/systemd/journald.conf file oval:ssg-test_journald_forward_to_syslog:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/systemd/journald.conf | ForwardToSyslog="yes" |
Ensure journald is configured to write log files to persistent disk
| Rule ID | xccdf_org.ssgproject.content_rule_journald_storage |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-journald_storage:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-86045-2 References: 4.2.2.4 |
| Description | The journald system may store log files in volatile memory or locally on disk.
If the logs are only stored in volatile memory they will we lost upon reboot. |
| Rationale | Log files contain valuable data and need to be persistent to aid in possible investigations. |
tests the value of Storage setting in the /etc/systemd/journald.conf file oval:ssg-test_journald_storage:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/systemd/journald.conf | Storage="persistent" |
Ensure rsyslog is Installed
| Rule ID | xccdf_org.ssgproject.content_rule_package_rsyslog_installed |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_rsyslog_installed:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80847-7 References: BP28(R5), NT28(R46), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, CCI-000366, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, FTP_ITC_EXT.1.1, SRG-OS-000479-GPOS-00224, SRG-OS-000051-GPOS-00024, SRG-OS-000480-GPOS-00227, RHEL-08-030670, 4.2.1.1, SV-230477r627750_rule |
| Description | Rsyslog is installed by default. The rsyslog package can be installed with the following command: $ sudo yum install rsyslog |
| Rationale | The rsyslog package provides the rsyslog daemon, which provides
system logging services. |
package rsyslog is installed oval:ssg-test_package_rsyslog_installed:tst:1 true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| rsyslog | x86_64 | (none) | 7.el8_4.2 | 8.1911.0 | 0:8.1911.0-7.el8_4.2 | 199e2f91fd431d51 | rsyslog-0:8.1911.0-7.el8_4.2.x86_64 |
Enable rsyslog Service
| Rule ID | xccdf_org.ssgproject.content_rule_service_rsyslog_enabled |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-service_rsyslog_enabled:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80886-5 References: BP28(R5), NT28(R46), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, CCI-001311, CCI-001312, CCI-001557, CCI-001851, CCI-000366, 164.312(a)(2)(ii), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, A.17.2.1, CM-6(a), AU-4(1), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.DS-4, PR.PT-1, SRG-OS-000480-GPOS-00227, RHEL-08-010561, 4.2.1.2, SV-230298r627750_rule |
| Description | The rsyslog service provides syslog-style logging by default on Red Hat Enterprise Linux 8.
The rsyslog service can be enabled with the following command:
$ sudo systemctl enable rsyslog.service |
| Rationale | The rsyslog service must be running in order to provide
logging services, which are essential to system administration. |
package rsyslog is installed oval:ssg-test_service_rsyslog_package_rsyslog_installed:tst:1 true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| rsyslog | x86_64 | (none) | 7.el8_4.2 | 8.1911.0 | 0:8.1911.0-7.el8_4.2 | 199e2f91fd431d51 | rsyslog-0:8.1911.0-7.el8_4.2.x86_64 |
Test that the rsyslog service is running oval:ssg-test_service_running_rsyslog:tst:1 true
Following items have been found on the system:
| Unit | Property | Value |
|---|---|---|
| rsyslog.service | ActiveState | active |
systemd test oval:ssg-test_multi_user_wants_rsyslog:tst:1 true
Following items have been found on the system:
| Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| multi-user.target | basic.target | var.mount | -.mount | sysinit.target | dev-hugepages.mount | systemd-ask-password-console.path | sys-kernel-debug.mount | rngd.service | iscsi-onboot.service | systemd-udevd.service | lvm2-lvmpolld.socket | systemd-modules-load.service | cryptsetup.target | selinux-autorelabel-mark.service | systemd-update-done.service | dracut-shutdown.service | systemd-journal-catalog-update.service | multipathd.service | systemd-hwdb-update.service | systemd-sysctl.service | dev-mqueue.mount | import-state.service | systemd-update-utmp.service | nis-domainname.service | swap.target | lvm2-monitor.service | systemd-journald.service | systemd-tmpfiles-setup.service | systemd-tmpfiles-setup-dev.service | proc-sys-fs-binfmt_misc.automount | loadmodules.service | systemd-binfmt.service | kmod-static-nodes.service | systemd-journal-flush.service | systemd-machine-id-commit.service | sys-fs-fuse-connections.mount | sys-kernel-config.mount | ldconfig.service | systemd-udev-trigger.service | systemd-firstboot.service | local-fs.target | boot.mount | usr.mount | home.mount | tmp.mount | boot-efi.mount | mnt.mount | systemd-remount-fs.service | systemd-random-seed.service | systemd-sysusers.service | timers.target | unbound-anchor.timer | dnf-makecache.timer | systemd-tmpfiles-clean.timer | mlocate-updatedb.timer | sockets.target | systemd-journald.socket | dbus.socket | iscsiuio.socket | sssd-kcm.socket | dm-event.socket | systemd-journald-dev-log.socket | multipathd.socket | iscsid.socket | systemd-udevd-control.socket | systemd-udevd-kernel.socket | systemd-initctl.socket | systemd-coredump.socket | paths.target | slices.target | -.slice | system.slice | smartd.service | NetworkManager.service | nftables.service | waagent.service | libstoragemgmt.service | vdo.service | tuned.service | rhsmcertd.service | dbus.service | systemd-update-utmp-runlevel.service | chronyd.service | firewalld.service | kdump.service | remote-fs.target | iscsi.service | sshd.service | crond.service | systemd-ask-password-wall.path | getty.target | getty@tty1.service | serial-getty@ttyS0.service | mdmonitor.service | systemd-user-sessions.service | systemd-logind.service | auditd.service | systemd-resolved.service | cloud-init.target | cloud-init-local.service | cloud-init.service | cloud-config.service | cloud-final.service | mcelog.service | sssd.service | rsyslog.service | atd.service | irqbalance.service |
systemd test oval:ssg-test_multi_user_wants_rsyslog_socket:tst:1 false
Following items have been found on the system:
| Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| multi-user.target | basic.target | var.mount | -.mount | sysinit.target | dev-hugepages.mount | systemd-ask-password-console.path | sys-kernel-debug.mount | rngd.service | iscsi-onboot.service | systemd-udevd.service | lvm2-lvmpolld.socket | systemd-modules-load.service | cryptsetup.target | selinux-autorelabel-mark.service | systemd-update-done.service | dracut-shutdown.service | systemd-journal-catalog-update.service | multipathd.service | systemd-hwdb-update.service | systemd-sysctl.service | dev-mqueue.mount | import-state.service | systemd-update-utmp.service | nis-domainname.service | swap.target | lvm2-monitor.service | systemd-journald.service | systemd-tmpfiles-setup.service | systemd-tmpfiles-setup-dev.service | proc-sys-fs-binfmt_misc.automount | loadmodules.service | systemd-binfmt.service | kmod-static-nodes.service | systemd-journal-flush.service | systemd-machine-id-commit.service | sys-fs-fuse-connections.mount | sys-kernel-config.mount | ldconfig.service | systemd-udev-trigger.service | systemd-firstboot.service | local-fs.target | boot.mount | usr.mount | home.mount | tmp.mount | boot-efi.mount | mnt.mount | systemd-remount-fs.service | systemd-random-seed.service | systemd-sysusers.service | timers.target | unbound-anchor.timer | dnf-makecache.timer | systemd-tmpfiles-clean.timer | mlocate-updatedb.timer | sockets.target | systemd-journald.socket | dbus.socket | iscsiuio.socket | sssd-kcm.socket | dm-event.socket | systemd-journald-dev-log.socket | multipathd.socket | iscsid.socket | systemd-udevd-control.socket | systemd-udevd-kernel.socket | systemd-initctl.socket | systemd-coredump.socket | paths.target | slices.target | -.slice | system.slice | smartd.service | NetworkManager.service | nftables.service | waagent.service | libstoragemgmt.service | vdo.service | tuned.service | rhsmcertd.service | dbus.service | systemd-update-utmp-runlevel.service | chronyd.service | firewalld.service | kdump.service | remote-fs.target | iscsi.service | sshd.service | crond.service | systemd-ask-password-wall.path | getty.target | getty@tty1.service | serial-getty@ttyS0.service | mdmonitor.service | systemd-user-sessions.service | systemd-logind.service | auditd.service | systemd-resolved.service | cloud-init.target | cloud-init-local.service | cloud-init.service | cloud-config.service | cloud-final.service | mcelog.service | sssd.service | rsyslog.service | atd.service | irqbalance.service |
Install firewalld Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_firewalld_installed |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_firewalld_installed:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82998-6 References: CCI-002314, CM-6(a), FMT_SMF_EXT.1, SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115, SRG-OS-000298-GPOS-00116, SRG-OS-000480-GPOS-00227, SRG-OS-000480-GPOS-00232, RHEL-08-040100, 3.4.1.1, SV-230505r744020_rule |
| Description | The firewalld package can be installed with the following command:
$ sudo yum install firewalld |
| Rationale | "Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols.
Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best.
Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
Red Hat Enterprise Linux 8 functionality (e.g., SSH) must be capable of taking enforcement action if the audit reveals unauthorized activity.
Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets)." |
package firewalld is installed oval:ssg-test_package_firewalld_installed:tst:1 true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| firewalld | noarch | (none) | 7.el8_4 | 0.8.2 | 0:0.8.2-7.el8_4 | 199e2f91fd431d51 | firewalld-0:0.8.2-7.el8_4.noarch |
Verify firewalld Enabled
| Rule ID | xccdf_org.ssgproject.content_rule_service_firewalld_enabled |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-service_firewalld_enabled:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80877-4 References: 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.1.3, 3.4.7, CCI-000366, CCI-000382, CCI-002314, 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CIP-003-8 R4, CIP-003-8 R5, CIP-004-6 R3, AC-4, CM-7(b), CA-3(5), SC-7(21), CM-6(a), PR.IP-1, FMT_SMF_EXT.1, SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115, SRG-OS-000480-GPOS-00227, SRG-OS-000480-GPOS-00231, SRG-OS-000480-GPOS-00232, RHEL-08-040101, 3.4.1.4, SV-244544r743881_rule |
| Description |
The firewalld service can be enabled with the following command:
$ sudo systemctl enable firewalld.service |
| Rationale | Access control methods provide the ability to enhance system security posture
by restricting services and known good IP addresses and address ranges. This
prevents connections from unknown hosts and protocols. |
package firewalld is installed oval:ssg-test_service_firewalld_package_firewalld_installed:tst:1 true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| firewalld | noarch | (none) | 7.el8_4 | 0.8.2 | 0:0.8.2-7.el8_4 | 199e2f91fd431d51 | firewalld-0:0.8.2-7.el8_4.noarch |
Test that the firewalld service is running oval:ssg-test_service_running_firewalld:tst:1 true
Following items have been found on the system:
| Unit | Property | Value |
|---|---|---|
| firewalld.service | ActiveState | active |
systemd test oval:ssg-test_multi_user_wants_firewalld:tst:1 true
Following items have been found on the system:
| Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| multi-user.target | basic.target | var.mount | -.mount | sysinit.target | dev-hugepages.mount | systemd-ask-password-console.path | sys-kernel-debug.mount | rngd.service | iscsi-onboot.service | systemd-udevd.service | lvm2-lvmpolld.socket | systemd-modules-load.service | cryptsetup.target | selinux-autorelabel-mark.service | systemd-update-done.service | dracut-shutdown.service | systemd-journal-catalog-update.service | multipathd.service | systemd-hwdb-update.service | systemd-sysctl.service | dev-mqueue.mount | import-state.service | systemd-update-utmp.service | nis-domainname.service | swap.target | lvm2-monitor.service | systemd-journald.service | systemd-tmpfiles-setup.service | systemd-tmpfiles-setup-dev.service | proc-sys-fs-binfmt_misc.automount | loadmodules.service | systemd-binfmt.service | kmod-static-nodes.service | systemd-journal-flush.service | systemd-machine-id-commit.service | sys-fs-fuse-connections.mount | sys-kernel-config.mount | ldconfig.service | systemd-udev-trigger.service | systemd-firstboot.service | local-fs.target | boot.mount | usr.mount | home.mount | tmp.mount | boot-efi.mount | mnt.mount | systemd-remount-fs.service | systemd-random-seed.service | systemd-sysusers.service | timers.target | unbound-anchor.timer | dnf-makecache.timer | systemd-tmpfiles-clean.timer | mlocate-updatedb.timer | sockets.target | systemd-journald.socket | dbus.socket | iscsiuio.socket | sssd-kcm.socket | dm-event.socket | systemd-journald-dev-log.socket | multipathd.socket | iscsid.socket | systemd-udevd-control.socket | systemd-udevd-kernel.socket | systemd-initctl.socket | systemd-coredump.socket | paths.target | slices.target | -.slice | system.slice | smartd.service | NetworkManager.service | nftables.service | waagent.service | libstoragemgmt.service | vdo.service | tuned.service | rhsmcertd.service | dbus.service | systemd-update-utmp-runlevel.service | chronyd.service | firewalld.service | kdump.service | remote-fs.target | iscsi.service | sshd.service | crond.service | systemd-ask-password-wall.path | getty.target | getty@tty1.service | serial-getty@ttyS0.service | mdmonitor.service | systemd-user-sessions.service | systemd-logind.service | auditd.service | systemd-resolved.service | cloud-init.target | cloud-init-local.service | cloud-init.service | cloud-config.service | cloud-final.service | mcelog.service | sssd.service | rsyslog.service | atd.service | irqbalance.service |
systemd test oval:ssg-test_multi_user_wants_firewalld_socket:tst:1 false
Following items have been found on the system:
| Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| multi-user.target | basic.target | var.mount | -.mount | sysinit.target | dev-hugepages.mount | systemd-ask-password-console.path | sys-kernel-debug.mount | rngd.service | iscsi-onboot.service | systemd-udevd.service | lvm2-lvmpolld.socket | systemd-modules-load.service | cryptsetup.target | selinux-autorelabel-mark.service | systemd-update-done.service | dracut-shutdown.service | systemd-journal-catalog-update.service | multipathd.service | systemd-hwdb-update.service | systemd-sysctl.service | dev-mqueue.mount | import-state.service | systemd-update-utmp.service | nis-domainname.service | swap.target | lvm2-monitor.service | systemd-journald.service | systemd-tmpfiles-setup.service | systemd-tmpfiles-setup-dev.service | proc-sys-fs-binfmt_misc.automount | loadmodules.service | systemd-binfmt.service | kmod-static-nodes.service | systemd-journal-flush.service | systemd-machine-id-commit.service | sys-fs-fuse-connections.mount | sys-kernel-config.mount | ldconfig.service | systemd-udev-trigger.service | systemd-firstboot.service | local-fs.target | boot.mount | usr.mount | home.mount | tmp.mount | boot-efi.mount | mnt.mount | systemd-remount-fs.service | systemd-random-seed.service | systemd-sysusers.service | timers.target | unbound-anchor.timer | dnf-makecache.timer | systemd-tmpfiles-clean.timer | mlocate-updatedb.timer | sockets.target | systemd-journald.socket | dbus.socket | iscsiuio.socket | sssd-kcm.socket | dm-event.socket | systemd-journald-dev-log.socket | multipathd.socket | iscsid.socket | systemd-udevd-control.socket | systemd-udevd-kernel.socket | systemd-initctl.socket | systemd-coredump.socket | paths.target | slices.target | -.slice | system.slice | smartd.service | NetworkManager.service | nftables.service | waagent.service | libstoragemgmt.service | vdo.service | tuned.service | rhsmcertd.service | dbus.service | systemd-update-utmp-runlevel.service | chronyd.service | firewalld.service | kdump.service | remote-fs.target | iscsi.service | sshd.service | crond.service | systemd-ask-password-wall.path | getty.target | getty@tty1.service | serial-getty@ttyS0.service | mdmonitor.service | systemd-user-sessions.service | systemd-logind.service | auditd.service | systemd-resolved.service | cloud-init.target | cloud-init-local.service | cloud-init.service | cloud-config.service | cloud-final.service | mcelog.service | sssd.service | rsyslog.service | atd.service | irqbalance.service |
Set Default firewalld Zone for Incoming Packets
| Rule ID | xccdf_org.ssgproject.content_rule_set_firewalld_default_zone |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-set_firewalld_default_zone:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80890-7 References: 11, 14, 3, 9, 5.10.1, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.1.3, 3.4.7, 3.13.6, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, 1416, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CA-3(5), CM-7(b), SC-7(23), CM-6(a), PR.IP-1, PR.PT-3, FMT_MOF_EXT.1, SRG-OS-000480-GPOS-00227, SRG-OS-000480-VMM-002000, 3.4.1.5 |
| Description | To set the default zone to drop for
the built-in default zone which processes incoming IPv4 and IPv6 packets,
modify the following line in
/etc/firewalld/firewalld.conf to be:
DefaultZone=drop |
| Rationale | In firewalld the default zone is applied only after all
the applicable rules in the table are examined for a match. Setting the
default zone to drop implements proper design for a firewall, i.e.
any packets which are not explicitly permitted should not be
accepted. |
| Warnings | warning
To prevent denying any access to the system, automatic remediation
of this control is not available. Remediation must be automated as
a component of machine provisioning, or followed manually as outlined
above. |
Check /etc/firewalld/firewalld.conf DefaultZone for drop oval:ssg-test_firewalld_input_drop:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_firewalld_input_drop:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/firewalld/firewalld.conf | ^DefaultZone=drop$ | 1 |
Set Default ip6tables Policy for Incoming Packets
| Rule ID | xccdf_org.ssgproject.content_rule_set_ip6tables_default_rule |
| Result | notchecked |
| Multi-check rule | no |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-85965-2 References: 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CIP-003-8 R4, CIP-003-8 R5, CIP-004-6 R3, AC-4, CM-7(b), CA-3(5), SC-7(21), CM-6(a), PR.IP-1, PR.PT-3, 3.4.3.3.4 |
| Description | To set the default policy to DROP (instead of ACCEPT) for
the built-in INPUT chain which processes incoming packets,
add or correct the following line in
/etc/sysconfig/ip6tables:
:INPUT DROP [0:0]If changes were required, reload the ip6tables rules: $ sudo service ip6tables reload |
| Rationale | In ip6tables, the default policy is applied only after all
the applicable rules in the table are examined for a match. Setting the
default policy to DROP implements proper design for a firewall, i.e.
any packets which are not explicitly permitted should not be
accepted. |
Configure Accepting Router Advertisements on All IPv6 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv6_conf_all_accept_ra:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-81006-9 References: 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.1.20, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-040261, 3.3.9, SV-230541r833351_rule |
| Description | To set the runtime status of the net.ipv6.conf.all.accept_ra kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_ra=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.accept_ra = 0 |
| Rationale | An illicit router advertisement message could result in a man-in-the-middle attack. |
net.ipv6.conf.all.disable_ipv6 static configuration oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_sysctl_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/sysctl.conf | ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$ | 1 |
net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_etc_sysctld:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_etc_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|---|---|---|
| /etc/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$ | 1 |
net.ipv6.conf.all.disable_ipv6 static configuration in /run/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_run_sysctld:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|---|---|---|
| /run/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$ | 1 |
Check that only one file contains net_ipv6_conf_all_disable_ipv6 oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_defined_in_one_file:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_sysctl_net_ipv6_conf_all_disable_ipv6_defined_in_one_file:obj:1 of type variable_object
| Var ref |
|---|
| oval:ssg-local_var_sysctl_net_ipv6_conf_all_disable_ipv6_counter:var:1 |
kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1 oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:tst:1 false
Following items have been found on the system:
| Name | Value |
|---|---|
| net.ipv6.conf.all.disable_ipv6 | 0 |
net.ipv6.conf.all.accept_ra static configuration oval:ssg-test_sysctl_net_ipv6_conf_all_accept_ra_static:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/sysctl.conf | net.ipv6.conf.all.accept_ra=0 |
net.ipv6.conf.all.accept_ra static configuration in /etc/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_all_accept_ra_static_etc_sysctld:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/sysctl.d/99-sysctl.conf | net.ipv6.conf.all.accept_ra=0 |
net.ipv6.conf.all.accept_ra static configuration in /run/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_all_accept_ra_static_run_sysctld:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_all_accept_ra:obj:1 of type textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|---|---|---|
| /run/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.accept_ra[\s]*=[\s]*(.*)[\s]*$ | 1 |
Check that only one file contains net_ipv6_conf_all_accept_ra oval:ssg-test_sysctl_net_ipv6_conf_all_accept_ra_defined_in_one_file:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-local_var_sysctl_net_ipv6_conf_all_accept_ra_counter:var:1 | 1 |
kernel runtime parameter net.ipv6.conf.all.accept_ra set to the appropriate value oval:ssg-test_sysctl_net_ipv6_conf_all_accept_ra_runtime:tst:1 true
Following items have been found on the system:
| Name | Value |
|---|---|
| net.ipv6.conf.all.accept_ra | 0 |
Disable Accepting ICMP Redirects for All IPv6 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv6_conf_all_accept_redirects:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-81009-3 References: BP28(R22), 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.1.20, CCI-000366, CCI-001551, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), CM-6(b), CM-6.1(iv), PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-040280, 3.3.2, SV-230544r833357_rule |
| Description | To set the runtime status of the net.ipv6.conf.all.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.accept_redirects = 0 |
| Rationale | An illicit ICMP redirect message could result in a man-in-the-middle attack. |
net.ipv6.conf.all.disable_ipv6 static configuration oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_sysctl_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/sysctl.conf | ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$ | 1 |
net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_etc_sysctld:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_etc_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|---|---|---|
| /etc/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$ | 1 |
net.ipv6.conf.all.disable_ipv6 static configuration in /run/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_run_sysctld:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|---|---|---|
| /run/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$ | 1 |
Check that only one file contains net_ipv6_conf_all_disable_ipv6 oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_defined_in_one_file:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_sysctl_net_ipv6_conf_all_disable_ipv6_defined_in_one_file:obj:1 of type variable_object
| Var ref |
|---|
| oval:ssg-local_var_sysctl_net_ipv6_conf_all_disable_ipv6_counter:var:1 |
kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1 oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:tst:1 false
Following items have been found on the system:
| Name | Value |
|---|---|
| net.ipv6.conf.all.disable_ipv6 | 0 |
net.ipv6.conf.all.accept_redirects static configuration oval:ssg-test_sysctl_net_ipv6_conf_all_accept_redirects_static:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/sysctl.conf | net.ipv6.conf.all.accept_redirects=0 |
net.ipv6.conf.all.accept_redirects static configuration in /etc/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_all_accept_redirects_static_etc_sysctld:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/sysctl.d/99-sysctl.conf | net.ipv6.conf.all.accept_redirects=0 |
net.ipv6.conf.all.accept_redirects static configuration in /run/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_all_accept_redirects_static_run_sysctld:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_all_accept_redirects:obj:1 of type textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|---|---|---|
| /run/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.accept_redirects[\s]*=[\s]*(.*)[\s]*$ | 1 |
Check that only one file contains net_ipv6_conf_all_accept_redirects oval:ssg-test_sysctl_net_ipv6_conf_all_accept_redirects_defined_in_one_file:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-local_var_sysctl_net_ipv6_conf_all_accept_redirects_counter:var:1 | 1 |
kernel runtime parameter net.ipv6.conf.all.accept_redirects set to the appropriate value oval:ssg-test_sysctl_net_ipv6_conf_all_accept_redirects_runtime:tst:1 true
Following items have been found on the system:
| Name | Value |
|---|---|
| net.ipv6.conf.all.accept_redirects | 0 |
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv6_conf_all_accept_source_route:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-81013-5 References: BP28(R22), 1, 12, 13, 14, 15, 16, 18, 4, 6, 8, 9, APO01.06, APO13.01, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.07, DSS06.02, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.4.3.3, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), DE.AE-1, ID.AM-3, PR.AC-5, PR.DS-5, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040240, 3.3.1, SV-230538r833346_rule |
| Description | To set the runtime status of the net.ipv6.conf.all.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.accept_source_route = 0 |
| Rationale | Source-routed packets allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router, which can
be used to bypass network security measures. This requirement applies only to the
forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and
the system is functioning as a router.
Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It should be disabled unless it is absolutely required. |
net.ipv6.conf.all.disable_ipv6 static configuration oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_sysctl_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/sysctl.conf | ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$ | 1 |
net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_etc_sysctld:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_etc_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|---|---|---|
| /etc/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$ | 1 |
net.ipv6.conf.all.disable_ipv6 static configuration in /run/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_run_sysctld:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|---|---|---|
| /run/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$ | 1 |
Check that only one file contains net_ipv6_conf_all_disable_ipv6 oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_defined_in_one_file:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_sysctl_net_ipv6_conf_all_disable_ipv6_defined_in_one_file:obj:1 of type variable_object
| Var ref |
|---|
| oval:ssg-local_var_sysctl_net_ipv6_conf_all_disable_ipv6_counter:var:1 |
kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1 oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:tst:1 false
Following items have been found on the system:
| Name | Value |
|---|---|
| net.ipv6.conf.all.disable_ipv6 | 0 |
net.ipv6.conf.all.accept_source_route static configuration oval:ssg-test_sysctl_net_ipv6_conf_all_accept_source_route_static:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/sysctl.conf | net.ipv6.conf.all.accept_source_route=0 |
net.ipv6.conf.all.accept_source_route static configuration in /etc/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_all_accept_source_route_static_etc_sysctld:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/sysctl.d/99-sysctl.conf | net.ipv6.conf.all.accept_source_route=0 |
net.ipv6.conf.all.accept_source_route static configuration in /run/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_all_accept_source_route_static_run_sysctld:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_all_accept_source_route:obj:1 of type textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|---|---|---|
| /run/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.accept_source_route[\s]*=[\s]*(.*)[\s]*$ | 1 |
Check that only one file contains net_ipv6_conf_all_accept_source_route oval:ssg-test_sysctl_net_ipv6_conf_all_accept_source_route_defined_in_one_file:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-local_var_sysctl_net_ipv6_conf_all_accept_source_route_counter:var:1 | 1 |
kernel runtime parameter net.ipv6.conf.all.accept_source_route set to the appropriate value oval:ssg-test_sysctl_net_ipv6_conf_all_accept_source_route_runtime:tst:1 true
Following items have been found on the system:
| Name | Value |
|---|---|
| net.ipv6.conf.all.accept_source_route | 0 |
Disable Kernel Parameter for IPv6 Forwarding
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv6_conf_all_forwarding:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82863-2 References: 1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, DSS06.06, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), CM-6(b), CM-6.1(iv), DE.CM-1, PR.DS-4, PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-040260, 3.2.1, SV-230540r833349_rule |
| Description | To set the runtime status of the net.ipv6.conf.all.forwarding kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.forwarding=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.forwarding = 0 |
| Rationale | IP forwarding permits the kernel to forward packets from one network
interface to another. The ability to forward packets between two networks is
only appropriate for systems acting as routers. |
net.ipv6.conf.all.disable_ipv6 static configuration oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_sysctl_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/sysctl.conf | ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$ | 1 |
net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_etc_sysctld:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_etc_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|---|---|---|
| /etc/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$ | 1 |
net.ipv6.conf.all.disable_ipv6 static configuration in /run/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_run_sysctld:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|---|---|---|
| /run/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$ | 1 |
Check that only one file contains net_ipv6_conf_all_disable_ipv6 oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_defined_in_one_file:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_sysctl_net_ipv6_conf_all_disable_ipv6_defined_in_one_file:obj:1 of type variable_object
| Var ref |
|---|
| oval:ssg-local_var_sysctl_net_ipv6_conf_all_disable_ipv6_counter:var:1 |
kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1 oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:tst:1 false
Following items have been found on the system:
| Name | Value |
|---|---|
| net.ipv6.conf.all.disable_ipv6 | 0 |
net.ipv6.conf.all.forwarding static configuration oval:ssg-test_sysctl_net_ipv6_conf_all_forwarding_static:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/sysctl.conf | net.ipv6.conf.all.forwarding=0 |
net.ipv6.conf.all.forwarding static configuration in /etc/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_all_forwarding_static_etc_sysctld:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/sysctl.d/99-sysctl.conf | net.ipv6.conf.all.forwarding=0 |
net.ipv6.conf.all.forwarding static configuration in /run/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_all_forwarding_static_run_sysctld:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_all_forwarding:obj:1 of type textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|---|---|---|
| /run/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.forwarding[\s]*=[\s]*(.*)[\s]*$ | 1 |
Check that only one file contains net_ipv6_conf_all_forwarding oval:ssg-test_sysctl_net_ipv6_conf_all_forwarding_defined_in_one_file:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-local_var_sysctl_net_ipv6_conf_all_forwarding_counter:var:1 | 1 |
kernel runtime parameter net.ipv6.conf.all.forwarding set to the appropriate value oval:ssg-test_sysctl_net_ipv6_conf_all_forwarding_runtime:tst:1 true
Following items have been found on the system:
| Name | Value |
|---|---|
| net.ipv6.conf.all.forwarding | 0 |
Disable Accepting Router Advertisements on all IPv6 Interfaces by Default
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv6_conf_default_accept_ra:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-81007-7 References: 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.1.20, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-040262, 3.3.9, SV-230542r833353_rule |
| Description | To set the runtime status of the net.ipv6.conf.default.accept_ra kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_ra=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_ra = 0 |
| Rationale | An illicit router advertisement message could result in a man-in-the-middle attack. |
net.ipv6.conf.all.disable_ipv6 static configuration oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_sysctl_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/sysctl.conf | ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$ | 1 |
net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_etc_sysctld:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_etc_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|---|---|---|
| /etc/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$ | 1 |
net.ipv6.conf.all.disable_ipv6 static configuration in /run/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_run_sysctld:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|---|---|---|
| /run/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$ | 1 |
Check that only one file contains net_ipv6_conf_all_disable_ipv6 oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_defined_in_one_file:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_sysctl_net_ipv6_conf_all_disable_ipv6_defined_in_one_file:obj:1 of type variable_object
| Var ref |
|---|
| oval:ssg-local_var_sysctl_net_ipv6_conf_all_disable_ipv6_counter:var:1 |
kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1 oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:tst:1 false
Following items have been found on the system:
| Name | Value |
|---|---|
| net.ipv6.conf.all.disable_ipv6 | 0 |
net.ipv6.conf.default.accept_ra static configuration oval:ssg-test_sysctl_net_ipv6_conf_default_accept_ra_static:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/sysctl.conf | net.ipv6.conf.default.accept_ra=0 |
net.ipv6.conf.default.accept_ra static configuration in /etc/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_default_accept_ra_static_etc_sysctld:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/sysctl.d/99-sysctl.conf | net.ipv6.conf.default.accept_ra=0 |
net.ipv6.conf.default.accept_ra static configuration in /run/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_default_accept_ra_static_run_sysctld:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_default_accept_ra:obj:1 of type textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|---|---|---|
| /run/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.default.accept_ra[\s]*=[\s]*(.*)[\s]*$ | 1 |
Check that only one file contains net_ipv6_conf_default_accept_ra oval:ssg-test_sysctl_net_ipv6_conf_default_accept_ra_defined_in_one_file:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-local_var_sysctl_net_ipv6_conf_default_accept_ra_counter:var:1 | 1 |
kernel runtime parameter net.ipv6.conf.default.accept_ra set to the appropriate value oval:ssg-test_sysctl_net_ipv6_conf_default_accept_ra_runtime:tst:1 true
Following items have been found on the system:
| Name | Value |
|---|---|
| net.ipv6.conf.default.accept_ra | 0 |
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv6_conf_default_accept_redirects:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-81010-1 References: BP28(R22), 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.1.20, CCI-000366, CCI-001551, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-040210, 3.3.2, SV-230535r833340_rule |
| Description | To set the runtime status of the net.ipv6.conf.default.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_redirects = 0 |
| Rationale | An illicit ICMP redirect message could result in a man-in-the-middle attack. |
net.ipv6.conf.all.disable_ipv6 static configuration oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_sysctl_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/sysctl.conf | ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$ | 1 |
net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_etc_sysctld:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_etc_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|---|---|---|
| /etc/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$ | 1 |
net.ipv6.conf.all.disable_ipv6 static configuration in /run/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_run_sysctld:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|---|---|---|
| /run/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$ | 1 |
Check that only one file contains net_ipv6_conf_all_disable_ipv6 oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_defined_in_one_file:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_sysctl_net_ipv6_conf_all_disable_ipv6_defined_in_one_file:obj:1 of type variable_object
| Var ref |
|---|
| oval:ssg-local_var_sysctl_net_ipv6_conf_all_disable_ipv6_counter:var:1 |
kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1 oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:tst:1 false
Following items have been found on the system:
| Name | Value |
|---|---|
| net.ipv6.conf.all.disable_ipv6 | 0 |
net.ipv6.conf.default.accept_redirects static configuration oval:ssg-test_sysctl_net_ipv6_conf_default_accept_redirects_static:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/sysctl.conf | net.ipv6.conf.default.accept_redirects=0 |
net.ipv6.conf.default.accept_redirects static configuration in /etc/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_default_accept_redirects_static_etc_sysctld:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/sysctl.d/99-sysctl.conf | net.ipv6.conf.default.accept_redirects=0 |
net.ipv6.conf.default.accept_redirects static configuration in /run/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_default_accept_redirects_static_run_sysctld:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_default_accept_redirects:obj:1 of type textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|---|---|---|
| /run/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.default.accept_redirects[\s]*=[\s]*(.*)[\s]*$ | 1 |
Check that only one file contains net_ipv6_conf_default_accept_redirects oval:ssg-test_sysctl_net_ipv6_conf_default_accept_redirects_defined_in_one_file:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-local_var_sysctl_net_ipv6_conf_default_accept_redirects_counter:var:1 | 1 |
kernel runtime parameter net.ipv6.conf.default.accept_redirects set to the appropriate value oval:ssg-test_sysctl_net_ipv6_conf_default_accept_redirects_runtime:tst:1 true
Following items have been found on the system:
| Name | Value |
|---|---|
| net.ipv6.conf.default.accept_redirects | 0 |
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv6_conf_default_accept_source_route:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-81015-0 References: BP28(R22), 1, 12, 13, 14, 15, 16, 18, 4, 6, 8, 9, APO01.06, APO13.01, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.07, DSS06.02, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.4.3.3, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), CM-6(b), CM-6.1(iv), DE.AE-1, ID.AM-3, PR.AC-5, PR.DS-5, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040250, 3.3.1, SV-230539r838722_rule |
| Description | To set the runtime status of the net.ipv6.conf.default.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_source_route = 0 |
| Rationale | Source-routed packets allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router, which can
be used to bypass network security measures. This requirement applies only to the
forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and
the system is functioning as a router.
Accepting source-routed packets in the IPv6 protocol has few legitimate
uses. It should be disabled unless it is absolutely required. |
net.ipv6.conf.all.disable_ipv6 static configuration oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_sysctl_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/sysctl.conf | ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$ | 1 |
net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_etc_sysctld:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_etc_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|---|---|---|
| /etc/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$ | 1 |
net.ipv6.conf.all.disable_ipv6 static configuration in /run/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_run_sysctld:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|---|---|---|
| /run/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$ | 1 |
Check that only one file contains net_ipv6_conf_all_disable_ipv6 oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_defined_in_one_file:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_sysctl_net_ipv6_conf_all_disable_ipv6_defined_in_one_file:obj:1 of type variable_object
| Var ref |
|---|
| oval:ssg-local_var_sysctl_net_ipv6_conf_all_disable_ipv6_counter:var:1 |
kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1 oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:tst:1 false
Following items have been found on the system:
| Name | Value |
|---|---|
| net.ipv6.conf.all.disable_ipv6 | 0 |
net.ipv6.conf.default.accept_source_route static configuration oval:ssg-test_sysctl_net_ipv6_conf_default_accept_source_route_static:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/sysctl.conf | net.ipv6.conf.default.accept_source_route=0 |
net.ipv6.conf.default.accept_source_route static configuration in /etc/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_default_accept_source_route_static_etc_sysctld:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/sysctl.d/99-sysctl.conf | net.ipv6.conf.default.accept_source_route=0 |
net.ipv6.conf.default.accept_source_route static configuration in /run/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv6_conf_default_accept_source_route_static_run_sysctld:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_default_accept_source_route:obj:1 of type textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|---|---|---|
| /run/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv6.conf.default.accept_source_route[\s]*=[\s]*(.*)[\s]*$ | 1 |
Check that only one file contains net_ipv6_conf_default_accept_source_route oval:ssg-test_sysctl_net_ipv6_conf_default_accept_source_route_defined_in_one_file:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-local_var_sysctl_net_ipv6_conf_default_accept_source_route_counter:var:1 | 1 |
kernel runtime parameter net.ipv6.conf.default.accept_source_route set to the appropriate value oval:ssg-test_sysctl_net_ipv6_conf_default_accept_source_route_runtime:tst:1 true
Following items have been found on the system:
| Name | Value |
|---|---|
| net.ipv6.conf.default.accept_source_route | 0 |
Disable Accepting ICMP Redirects for All IPv4 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv4_conf_all_accept_redirects:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80917-8 References: BP28(R22), 1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9, 5.10.1.1, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, DSS06.06, 3.1.20, CCI-000366, CCI-001503, CCI-001551, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), SC-7(a), DE.CM-1, PR.DS-4, PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-040279, 3.3.2, SV-244553r833379_rule |
| Description | To set the runtime status of the net.ipv4.conf.all.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.accept_redirects = 0 |
| Rationale | ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages modify the
host's route table and are unauthenticated. An illicit ICMP redirect
message could result in a man-in-the-middle attack.
This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required." |
net.ipv4.conf.all.accept_redirects static configuration oval:ssg-test_sysctl_net_ipv4_conf_all_accept_redirects_static:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/sysctl.conf | net.ipv4.conf.all.accept_redirects=0 |
net.ipv4.conf.all.accept_redirects static configuration in /etc/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_conf_all_accept_redirects_static_etc_sysctld:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/sysctl.d/99-sysctl.conf | net.ipv4.conf.all.accept_redirects=0 |
net.ipv4.conf.all.accept_redirects static configuration in /run/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_conf_all_accept_redirects_static_run_sysctld:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_all_accept_redirects:obj:1 of type textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|---|---|---|
| /run/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv4.conf.all.accept_redirects[\s]*=[\s]*(.*)[\s]*$ | 1 |
Check that only one file contains net_ipv4_conf_all_accept_redirects oval:ssg-test_sysctl_net_ipv4_conf_all_accept_redirects_defined_in_one_file:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-local_var_sysctl_net_ipv4_conf_all_accept_redirects_counter:var:1 | 1 |
kernel runtime parameter net.ipv4.conf.all.accept_redirects set to the appropriate value oval:ssg-test_sysctl_net_ipv4_conf_all_accept_redirects_runtime:tst:1 true
Following items have been found on the system:
| Name | Value |
|---|---|
| net.ipv4.conf.all.accept_redirects | 0 |
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv4_conf_all_accept_source_route:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-81011-9 References: BP28(R22), 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040239, 3.3.1, SV-244551r833375_rule |
| Description | To set the runtime status of the net.ipv4.conf.all.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.accept_source_route = 0 |
| Rationale | Source-routed packets allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router,
which can be used to bypass network security measures. This requirement
applies only to the forwarding of source-routerd traffic, such as when IPv4
forwarding is enabled and the system is functioning as a router.
Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required. |
net.ipv4.conf.all.accept_source_route static configuration oval:ssg-test_sysctl_net_ipv4_conf_all_accept_source_route_static:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/sysctl.conf | net.ipv4.conf.all.accept_source_route=0 |
net.ipv4.conf.all.accept_source_route static configuration in /etc/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_conf_all_accept_source_route_static_etc_sysctld:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/sysctl.d/99-sysctl.conf | net.ipv4.conf.all.accept_source_route=0 |
net.ipv4.conf.all.accept_source_route static configuration in /run/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_conf_all_accept_source_route_static_run_sysctld:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_all_accept_source_route:obj:1 of type textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|---|---|---|
| /run/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv4.conf.all.accept_source_route[\s]*=[\s]*(.*)[\s]*$ | 1 |
Check that only one file contains net_ipv4_conf_all_accept_source_route oval:ssg-test_sysctl_net_ipv4_conf_all_accept_source_route_defined_in_one_file:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-local_var_sysctl_net_ipv4_conf_all_accept_source_route_counter:var:1 | 1 |
kernel runtime parameter net.ipv4.conf.all.accept_source_route set to the appropriate value oval:ssg-test_sysctl_net_ipv4_conf_all_accept_source_route_runtime:tst:1 true
Following items have been found on the system:
| Name | Value |
|---|---|
| net.ipv4.conf.all.accept_source_route | 0 |
Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv4_conf_all_log_martians:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | unknown |
| Identifiers and References | Identifiers: CCE-81018-4 References: BP28(R22), 1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.04, DSS03.05, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.06, 3.1.20, CCI-000126, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.11.2.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), SC-5(3)(a), DE.CM-1, PR.AC-3, PR.DS-4, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, 3.3.4 |
| Description | To set the runtime status of the net.ipv4.conf.all.log_martians kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.log_martians=1To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.log_martians = 1 |
| Rationale | The presence of "martian" packets (which have impossible addresses)
as well as spoofed packets, source-routed packets, and redirects could be a
sign of nefarious network activity. Logging these packets enables this activity
to be detected. |
net.ipv4.conf.all.log_martians static configuration oval:ssg-test_sysctl_net_ipv4_conf_all_log_martians_static:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/sysctl.conf | net.ipv4.conf.all.log_martians=1 |
net.ipv4.conf.all.log_martians static configuration in /etc/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_conf_all_log_martians_static_etc_sysctld:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/sysctl.d/99-sysctl.conf | net.ipv4.conf.all.log_martians=1 |
net.ipv4.conf.all.log_martians static configuration in /run/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_conf_all_log_martians_static_run_sysctld:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_all_log_martians:obj:1 of type textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|---|---|---|
| /run/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv4.conf.all.log_martians[\s]*=[\s]*(.*)[\s]*$ | 1 |
Check that only one file contains net_ipv4_conf_all_log_martians oval:ssg-test_sysctl_net_ipv4_conf_all_log_martians_defined_in_one_file:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-local_var_sysctl_net_ipv4_conf_all_log_martians_counter:var:1 | 1 |
kernel runtime parameter net.ipv4.conf.all.log_martians set to the appropriate value oval:ssg-test_sysctl_net_ipv4_conf_all_log_martians_runtime:tst:1 true
Following items have been found on the system:
| Name | Value |
|---|---|
| net.ipv4.conf.all.log_martians | 1 |
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv4_conf_all_rp_filter:def:1 |
| Time | 2022-11-07T15:05:18+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-81021-8 References: BP28(R22), 1, 12, 13, 14, 15, 16, 18, 2, 4, 6, 7, 8, 9, APO01.06, APO13.01, BAI04.04, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.07, DSS06.02, 3.1.20, CCI-000366, CCI-001551, 4.2.3.4, 4.3.3.4, 4.4.3.3, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040285, 3.3.7, SV-230549r833367_rule |
| Description | To set the runtime status of the net.ipv4.conf.all.rp_filter kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.rp_filter=1To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.rp_filter = 1 |
| Rationale | Enabling reverse path filtering drops packets with source addresses
that should not have been able to be received on the interface they were
received on. It should not be used on systems which are routers for
complicated networks, but is helpful for end hosts and routers serving small
networks. |
net.ipv4.conf.all.rp_filter static configuration oval:ssg-test_sysctl_net_ipv4_conf_all_rp_filter_static:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/sysctl.conf | net.ipv4.conf.all.rp_filter=1 |
net.ipv4.conf.all.rp_filter static configuration in /etc/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_conf_all_rp_filter_static_etc_sysctld:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/sysctl.d/99-sysctl.conf | net.ipv4.conf.all.rp_filter=1 |
net.ipv4.conf.all.rp_filter static configuration in /run/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_conf_all_rp_filter_static_run_sysctld:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_all_rp_filter:obj:1 of type textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|---|---|---|
| /run/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv4.conf.all.rp_filter[\s]*=[\s]*(.*)[\s]*$ | 1 |
Check that only one file contains net_ipv4_conf_all_rp_filter oval:ssg-test_sysctl_net_ipv4_conf_all_rp_filter_defined_in_one_file:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-local_var_sysctl_net_ipv4_conf_all_rp_filter_counter:var:1 | 1 |
kernel runtime parameter net.ipv4.conf.all.rp_filter set to 1 or 2 oval:ssg-test_sysctl_net_ipv4_conf_all_rp_filter_runtime:tst:1 true
Following items have been found on the system:
| Name | Value |
|---|---|
| net.ipv4.conf.all.rp_filter | 1 |
Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv4_conf_all_secure_redirects:def:1 |
| Time | 2022-11-07T15:05:19+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-81016-8 References: BP28(R22), 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-001503, CCI-001551, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, 3.3.3 |
| Description | To set the runtime status of the net.ipv4.conf.all.secure_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.secure_redirects=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.secure_redirects = 0 |
| Rationale | Accepting "secure" ICMP redirects (from those gateways listed as
default gateways) has few legitimate uses. It should be disabled unless it is
absolutely required. |
net.ipv4.conf.all.secure_redirects static configuration oval:ssg-test_sysctl_net_ipv4_conf_all_secure_redirects_static:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/sysctl.conf | net.ipv4.conf.all.secure_redirects=0 |
net.ipv4.conf.all.secure_redirects static configuration in /etc/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_conf_all_secure_redirects_static_etc_sysctld:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/sysctl.d/99-sysctl.conf | net.ipv4.conf.all.secure_redirects=0 |
net.ipv4.conf.all.secure_redirects static configuration in /run/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_conf_all_secure_redirects_static_run_sysctld:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_all_secure_redirects:obj:1 of type textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|---|---|---|
| /run/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv4.conf.all.secure_redirects[\s]*=[\s]*(.*)[\s]*$ | 1 |
Check that only one file contains net_ipv4_conf_all_secure_redirects oval:ssg-test_sysctl_net_ipv4_conf_all_secure_redirects_defined_in_one_file:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-local_var_sysctl_net_ipv4_conf_all_secure_redirects_counter:var:1 | 1 |
kernel runtime parameter net.ipv4.conf.all.secure_redirects set to the appropriate value oval:ssg-test_sysctl_net_ipv4_conf_all_secure_redirects_runtime:tst:1 true
Following items have been found on the system:
| Name | Value |
|---|---|
| net.ipv4.conf.all.secure_redirects | 0 |
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv4_conf_default_accept_redirects:def:1 |
| Time | 2022-11-07T15:05:19+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80919-4 References: BP28(R22), 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, CCI-001551, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040209, 3.3.2, SV-244550r833373_rule |
| Description | To set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.accept_redirects = 0 |
| Rationale | ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages modify the
host's route table and are unauthenticated. An illicit ICMP redirect
message could result in a man-in-the-middle attack.
This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required. |
net.ipv4.conf.default.accept_redirects static configuration oval:ssg-test_sysctl_net_ipv4_conf_default_accept_redirects_static:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/sysctl.conf | net.ipv4.conf.default.accept_redirects=0 |
net.ipv4.conf.default.accept_redirects static configuration in /etc/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_conf_default_accept_redirects_static_etc_sysctld:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/sysctl.d/99-sysctl.conf | net.ipv4.conf.default.accept_redirects=0 |
net.ipv4.conf.default.accept_redirects static configuration in /run/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_conf_default_accept_redirects_static_run_sysctld:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_default_accept_redirects:obj:1 of type textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|---|---|---|
| /run/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv4.conf.default.accept_redirects[\s]*=[\s]*(.*)[\s]*$ | 1 |
Check that only one file contains net_ipv4_conf_default_accept_redirects oval:ssg-test_sysctl_net_ipv4_conf_default_accept_redirects_defined_in_one_file:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-local_var_sysctl_net_ipv4_conf_default_accept_redirects_counter:var:1 | 1 |
kernel runtime parameter net.ipv4.conf.default.accept_redirects set to the appropriate value oval:ssg-test_sysctl_net_ipv4_conf_default_accept_redirects_runtime:tst:1 true
Following items have been found on the system:
| Name | Value |
|---|---|
| net.ipv4.conf.default.accept_redirects | 0 |
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv4_conf_default_accept_source_route:def:1 |
| Time | 2022-11-07T15:05:19+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80920-2 References: BP28(R22), 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, CCI-001551, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040249, 3.3.1, SV-244552r833377_rule |
| Description | To set the runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.accept_source_route = 0 |
| Rationale | Source-routed packets allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router,
which can be used to bypass network security measures.
Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required, such as when IPv4 forwarding is enabled and the system is legitimately functioning as a router. |
net.ipv4.conf.default.accept_source_route static configuration oval:ssg-test_sysctl_net_ipv4_conf_default_accept_source_route_static:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/sysctl.conf | net.ipv4.conf.default.accept_source_route=0 |
net.ipv4.conf.default.accept_source_route static configuration in /etc/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_conf_default_accept_source_route_static_etc_sysctld:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/sysctl.d/99-sysctl.conf | net.ipv4.conf.default.accept_source_route=0 |
net.ipv4.conf.default.accept_source_route static configuration in /run/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_conf_default_accept_source_route_static_run_sysctld:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_default_accept_source_route:obj:1 of type textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|---|---|---|
| /run/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv4.conf.default.accept_source_route[\s]*=[\s]*(.*)[\s]*$ | 1 |
Check that only one file contains net_ipv4_conf_default_accept_source_route oval:ssg-test_sysctl_net_ipv4_conf_default_accept_source_route_defined_in_one_file:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-local_var_sysctl_net_ipv4_conf_default_accept_source_route_counter:var:1 | 1 |
kernel runtime parameter net.ipv4.conf.default.accept_source_route set to the appropriate value oval:ssg-test_sysctl_net_ipv4_conf_default_accept_source_route_runtime:tst:1 true
Following items have been found on the system:
| Name | Value |
|---|---|
| net.ipv4.conf.default.accept_source_route | 0 |
Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_log_martians |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv4_conf_default_log_martians:def:1 |
| Time | 2022-11-07T15:05:19+00:00 |
| Severity | unknown |
| Identifiers and References | Identifiers: CCE-81020-0 References: 1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.04, DSS03.05, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.06, 3.1.20, CCI-000126, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.11.2.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), SC-5(3)(a), DE.CM-1, PR.AC-3, PR.DS-4, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, 3.3.4 |
| Description | To set the runtime status of the net.ipv4.conf.default.log_martians kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.log_martians=1To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.log_martians = 1 |
| Rationale | The presence of "martian" packets (which have impossible addresses)
as well as spoofed packets, source-routed packets, and redirects could be a
sign of nefarious network activity. Logging these packets enables this activity
to be detected. |
net.ipv4.conf.default.log_martians static configuration oval:ssg-test_sysctl_net_ipv4_conf_default_log_martians_static:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/sysctl.conf | net.ipv4.conf.default.log_martians=1 |
net.ipv4.conf.default.log_martians static configuration in /etc/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_conf_default_log_martians_static_etc_sysctld:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/sysctl.d/99-sysctl.conf | net.ipv4.conf.default.log_martians=1 |
net.ipv4.conf.default.log_martians static configuration in /run/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_conf_default_log_martians_static_run_sysctld:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_default_log_martians:obj:1 of type textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|---|---|---|
| /run/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv4.conf.default.log_martians[\s]*=[\s]*(.*)[\s]*$ | 1 |
Check that only one file contains net_ipv4_conf_default_log_martians oval:ssg-test_sysctl_net_ipv4_conf_default_log_martians_defined_in_one_file:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-local_var_sysctl_net_ipv4_conf_default_log_martians_counter:var:1 | 1 |
kernel runtime parameter net.ipv4.conf.default.log_martians set to the appropriate value oval:ssg-test_sysctl_net_ipv4_conf_default_log_martians_runtime:tst:1 true
Following items have been found on the system:
| Name | Value |
|---|---|
| net.ipv4.conf.default.log_martians | 1 |
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv4_conf_default_rp_filter:def:1 |
| Time | 2022-11-07T15:05:19+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-81022-6 References: BP28(R22), 1, 12, 13, 14, 15, 16, 18, 2, 4, 6, 7, 8, 9, APO01.06, APO13.01, BAI04.04, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.07, DSS06.02, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.4.3.3, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.PT-4, SRG-OS-000480-GPOS-00227, 3.3.7 |
| Description | To set the runtime status of the net.ipv4.conf.default.rp_filter kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.rp_filter=1To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.rp_filter = 1 |
| Rationale | Enabling reverse path filtering drops packets with source addresses
that should not have been able to be received on the interface they were
received on. It should not be used on systems which are routers for
complicated networks, but is helpful for end hosts and routers serving small
networks. |
net.ipv4.conf.default.rp_filter static configuration oval:ssg-test_sysctl_net_ipv4_conf_default_rp_filter_static:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/sysctl.conf | net.ipv4.conf.default.rp_filter=1 |
net.ipv4.conf.default.rp_filter static configuration in /etc/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_conf_default_rp_filter_static_etc_sysctld:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/sysctl.d/99-sysctl.conf | net.ipv4.conf.default.rp_filter=1 |
net.ipv4.conf.default.rp_filter static configuration in /run/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_conf_default_rp_filter_static_run_sysctld:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_default_rp_filter:obj:1 of type textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|---|---|---|
| /run/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv4.conf.default.rp_filter[\s]*=[\s]*(.*)[\s]*$ | 1 |
Check that only one file contains net_ipv4_conf_default_rp_filter oval:ssg-test_sysctl_net_ipv4_conf_default_rp_filter_defined_in_one_file:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-local_var_sysctl_net_ipv4_conf_default_rp_filter_counter:var:1 | 1 |
kernel runtime parameter net.ipv4.conf.default.rp_filter set to the appropriate value oval:ssg-test_sysctl_net_ipv4_conf_default_rp_filter_runtime:tst:1 true
Following items have been found on the system:
| Name | Value |
|---|---|
| net.ipv4.conf.default.rp_filter | 1 |
Configure Kernel Parameter for Accepting Secure Redirects By Default
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv4_conf_default_secure_redirects:def:1 |
| Time | 2022-11-07T15:05:19+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-81017-6 References: BP28(R22), 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-001551, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, 3.3.3 |
| Description | To set the runtime status of the net.ipv4.conf.default.secure_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.secure_redirects=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.secure_redirects = 0 |
| Rationale | Accepting "secure" ICMP redirects (from those gateways listed as
default gateways) has few legitimate uses. It should be disabled unless it is
absolutely required. |
net.ipv4.conf.default.secure_redirects static configuration oval:ssg-test_sysctl_net_ipv4_conf_default_secure_redirects_static:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/sysctl.conf | net.ipv4.conf.default.secure_redirects=0 |
net.ipv4.conf.default.secure_redirects static configuration in /etc/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_conf_default_secure_redirects_static_etc_sysctld:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/sysctl.d/99-sysctl.conf | net.ipv4.conf.default.secure_redirects=0 |
net.ipv4.conf.default.secure_redirects static configuration in /run/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_conf_default_secure_redirects_static_run_sysctld:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_default_secure_redirects:obj:1 of type textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|---|---|---|
| /run/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv4.conf.default.secure_redirects[\s]*=[\s]*(.*)[\s]*$ | 1 |
Check that only one file contains net_ipv4_conf_default_secure_redirects oval:ssg-test_sysctl_net_ipv4_conf_default_secure_redirects_defined_in_one_file:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-local_var_sysctl_net_ipv4_conf_default_secure_redirects_counter:var:1 | 1 |
kernel runtime parameter net.ipv4.conf.default.secure_redirects set to the appropriate value oval:ssg-test_sysctl_net_ipv4_conf_default_secure_redirects_runtime:tst:1 true
Following items have been found on the system:
| Name | Value |
|---|---|
| net.ipv4.conf.default.secure_redirects | 0 |
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv4_icmp_echo_ignore_broadcasts:def:1 |
| Time | 2022-11-07T15:05:19+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80922-8 References: 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040230, 3.3.5, SV-230537r833344_rule |
| Description | To set the runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.icmp_echo_ignore_broadcasts = 1 |
| Rationale | Responding to broadcast (ICMP) echoes facilitates network mapping
and provides a vector for amplification attacks.
Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network. |
net.ipv4.icmp_echo_ignore_broadcasts static configuration oval:ssg-test_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_static:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/sysctl.conf | net.ipv4.icmp_echo_ignore_broadcasts=1 |
net.ipv4.icmp_echo_ignore_broadcasts static configuration in /etc/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_static_etc_sysctld:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/sysctl.d/99-sysctl.conf | net.ipv4.icmp_echo_ignore_broadcasts=1 |
net.ipv4.icmp_echo_ignore_broadcasts static configuration in /run/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_static_run_sysctld:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1 of type textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|---|---|---|
| /run/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv4.icmp_echo_ignore_broadcasts[\s]*=[\s]*(.*)[\s]*$ | 1 |
Check that only one file contains net_ipv4_icmp_echo_ignore_broadcasts oval:ssg-test_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_defined_in_one_file:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-local_var_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_counter:var:1 | 1 |
kernel runtime parameter net.ipv4.icmp_echo_ignore_broadcasts set to the appropriate value oval:ssg-test_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_runtime:tst:1 true
Following items have been found on the system:
| Name | Value |
|---|---|
| net.ipv4.icmp_echo_ignore_broadcasts | 1 |
Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv4_icmp_ignore_bogus_error_responses:def:1 |
| Time | 2022-11-07T15:05:19+00:00 |
| Severity | unknown |
| Identifiers and References | Identifiers: CCE-81023-4 References: BP28(R22), 1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, DSS06.06, 3.1.20, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.9.1.2, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, DE.CM-1, PR.DS-4, PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, 3.3.6 |
| Description | To set the runtime status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.icmp_ignore_bogus_error_responses = 1 |
| Rationale | Ignoring bogus ICMP error responses reduces
log size, although some activity would not be logged. |
net.ipv4.icmp_ignore_bogus_error_responses static configuration oval:ssg-test_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_static:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/sysctl.conf | net.ipv4.icmp_ignore_bogus_error_responses=1 |
net.ipv4.icmp_ignore_bogus_error_responses static configuration in /etc/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_static_etc_sysctld:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/sysctl.d/99-sysctl.conf | net.ipv4.icmp_ignore_bogus_error_responses=1 |
net.ipv4.icmp_ignore_bogus_error_responses static configuration in /run/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_static_run_sysctld:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1 of type textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|---|---|---|
| /run/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv4.icmp_ignore_bogus_error_responses[\s]*=[\s]*(.*)[\s]*$ | 1 |
Check that only one file contains net_ipv4_icmp_ignore_bogus_error_responses oval:ssg-test_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_defined_in_one_file:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-local_var_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_counter:var:1 | 1 |
kernel runtime parameter net.ipv4.icmp_ignore_bogus_error_responses set to the appropriate value oval:ssg-test_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_runtime:tst:1 true
Following items have been found on the system:
| Name | Value |
|---|---|
| net.ipv4.icmp_ignore_bogus_error_responses | 1 |
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv4_conf_all_send_redirects:def:1 |
| Time | 2022-11-07T15:05:19+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80918-6 References: BP28(R22), 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040220, 3.2.2, SV-230536r833342_rule |
| Description | To set the runtime status of the net.ipv4.conf.all.send_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.send_redirects=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.send_redirects = 0 |
| Rationale | ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages contain information
from the system's route table possibly revealing portions of the network topology.
The ability to send ICMP redirects is only appropriate for systems acting as routers. |
net.ipv4.conf.all.send_redirects static configuration oval:ssg-test_sysctl_net_ipv4_conf_all_send_redirects_static:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/sysctl.conf | net.ipv4.conf.all.send_redirects=0 |
net.ipv4.conf.all.send_redirects static configuration in /etc/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_conf_all_send_redirects_static_etc_sysctld:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/sysctl.d/99-sysctl.conf | net.ipv4.conf.all.send_redirects=0 |
net.ipv4.conf.all.send_redirects static configuration in /run/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_conf_all_send_redirects_static_run_sysctld:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_all_send_redirects:obj:1 of type textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|---|---|---|
| /run/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv4.conf.all.send_redirects[\s]*=[\s]*(.*)[\s]*$ | 1 |
Check that only one file contains net_ipv4_conf_all_send_redirects oval:ssg-test_sysctl_net_ipv4_conf_all_send_redirects_defined_in_one_file:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-local_var_sysctl_net_ipv4_conf_all_send_redirects_counter:var:1 | 1 |
kernel runtime parameter net.ipv4.conf.all.send_redirects set to 0 oval:ssg-test_sysctl_net_ipv4_conf_all_send_redirects_runtime:tst:1 true
Following items have been found on the system:
| Name | Value |
|---|---|
| net.ipv4.conf.all.send_redirects | 0 |
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv4_conf_default_send_redirects:def:1 |
| Time | 2022-11-07T15:05:19+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80921-0 References: BP28(R22), 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040270, 3.2.2, SV-230543r833355_rule |
| Description | To set the runtime status of the net.ipv4.conf.default.send_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.send_redirects=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.send_redirects = 0 |
| Rationale | ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages contain information
from the system's route table possibly revealing portions of the network topology.
The ability to send ICMP redirects is only appropriate for systems acting as routers. |
net.ipv4.conf.default.send_redirects static configuration oval:ssg-test_sysctl_net_ipv4_conf_default_send_redirects_static:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/sysctl.conf | net.ipv4.conf.default.send_redirects=0 |
net.ipv4.conf.default.send_redirects static configuration in /etc/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_conf_default_send_redirects_static_etc_sysctld:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/sysctl.d/99-sysctl.conf | net.ipv4.conf.default.send_redirects=0 |
net.ipv4.conf.default.send_redirects static configuration in /run/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_conf_default_send_redirects_static_run_sysctld:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_default_send_redirects:obj:1 of type textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|---|---|---|
| /run/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv4.conf.default.send_redirects[\s]*=[\s]*(.*)[\s]*$ | 1 |
Check that only one file contains net_ipv4_conf_default_send_redirects oval:ssg-test_sysctl_net_ipv4_conf_default_send_redirects_defined_in_one_file:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-local_var_sysctl_net_ipv4_conf_default_send_redirects_counter:var:1 | 1 |
kernel runtime parameter net.ipv4.conf.default.send_redirects set to 0 oval:ssg-test_sysctl_net_ipv4_conf_default_send_redirects_runtime:tst:1 true
Following items have been found on the system:
| Name | Value |
|---|---|
| net.ipv4.conf.default.send_redirects | 0 |
Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_net_ipv4_ip_forward:def:1 |
| Time | 2022-11-07T15:05:19+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-81024-2 References: BP28(R22), 1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, DSS06.06, 3.1.20, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.9.1.2, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, CM-6(a), SC-7(a), DE.CM-1, PR.DS-4, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, 3.2.1 |
| Description | To set the runtime status of the net.ipv4.ip_forward kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.ip_forward=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.ip_forward = 0 |
| Rationale | Routing protocol daemons are typically used on routers to exchange
network topology information with other routers. If this capability is used when
not required, system network information may be unnecessarily transmitted across
the network. |
| Warnings | warning
Certain technologies such as virtual machines, containers, etc. rely on IPv4 forwarding to enable and use networking.
Disabling IPv4 forwarding would cause those technologies to stop working. Therefore, this rule should not be used in
profiles or benchmarks that target usage of IPv4 forwarding. warning
This rule is disabled on Red Hat Virtualization Hosts and Managers, it will report not applicable.
RHV host requires IPv4 forwarding for the Hosted Engine bootstrap VM to reach network outside of the initial host. |
net.ipv4.ip_forward static configuration oval:ssg-test_sysctl_net_ipv4_ip_forward_static:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/sysctl.conf | net.ipv4.ip_forward=0 |
net.ipv4.ip_forward static configuration in /etc/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_ip_forward_static_etc_sysctld:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/sysctl.d/99-sysctl.conf | net.ipv4.ip_forward=0 |
net.ipv4.ip_forward static configuration in /run/sysctl.d/*.conf oval:ssg-test_sysctl_net_ipv4_ip_forward_static_run_sysctld:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_ip_forward:obj:1 of type textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|---|---|---|
| /run/sysctl.d | ^.*\.conf$ | ^[\s]*net.ipv4.ip_forward[\s]*=[\s]*(.*)[\s]*$ | 1 |
Check that only one file contains net_ipv4_ip_forward oval:ssg-test_sysctl_net_ipv4_ip_forward_defined_in_one_file:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-local_var_sysctl_net_ipv4_ip_forward_counter:var:1 | 1 |
kernel runtime parameter net.ipv4.ip_forward set to 0 oval:ssg-test_sysctl_net_ipv4_ip_forward_runtime:tst:1 true
Following items have been found on the system:
| Name | Value |
|---|---|
| net.ipv4.ip_forward | 0 |
Disable DCCP Support
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_dccp_disabled |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kernel_module_dccp_disabled:def:1 |
| Time | 2022-11-07T15:05:19+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80833-7 References: 11, 14, 3, 9, 5.10.1, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.4.6, CCI-001958, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000096-GPOS-00050, SRG-OS-000378-GPOS-00163, 3.1.3 |
| Description | The Datagram Congestion Control Protocol (DCCP) is a
relatively new transport layer protocol, designed to support
streaming media and telephony.
To configure the system to prevent the dccp
kernel module from being loaded, add the following line to the file /etc/modprobe.d/dccp.conf:
install dccp /bin/trueTo configure the system to prevent the dccp from being used,
add the following line to file /etc/modprobe.d/dccp.conf:
blacklist dccp |
| Rationale | Disabling DCCP protects
the system against exploitation of any flaws in its implementation. |
kernel module dccp blacklisted oval:ssg-test_kernmod_dccp_blacklisted:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/modprobe.d/dccp.conf | blacklist dccp |
kernel module dccp disabled oval:ssg-test_kernmod_dccp_disabled:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/modprobe.d/dccp.conf | install dccp /bin/true |
Disable SCTP Support
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kernel_module_sctp_disabled:def:1 |
| Time | 2022-11-07T15:05:19+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80834-5 References: 11, 14, 3, 9, 5.10.1, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.4.6, CCI-000381, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227, RHEL-08-040023, 3.1.2, SV-230496r792917_rule |
| Description | The Stream Control Transmission Protocol (SCTP) is a
transport layer protocol, designed to support the idea of
message-oriented communication, with several streams of messages
within one connection.
To configure the system to prevent the sctp
kernel module from being loaded, add the following line to the file /etc/modprobe.d/sctp.conf:
install sctp /bin/trueTo configure the system to prevent the sctp from being used,
add the following line to file /etc/modprobe.d/sctp.conf:
blacklist sctp |
| Rationale | Disabling SCTP protects
the system against exploitation of any flaws in its implementation. |
kernel module sctp blacklisted oval:ssg-test_kernmod_sctp_blacklisted:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/modprobe.d/sctp.conf | blacklist sctp |
kernel module sctp disabled oval:ssg-test_kernmod_sctp_disabled:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/modprobe.d/sctp.conf | install sctp /bin/true |
Deactivate Wireless Network Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_wireless_disable_interfaces |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-07T15:05:19+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83501-7 References: 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, 3.1.16, CCI-000085, CCI-002418, CCI-002421, CCI-001443, CCI-001444, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, 1315, 1319, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, AC-18(a), AC-18(3), CM-7(a), CM-7(b), CM-6(a), MP-7, PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000299-GPOS-00117, SRG-OS-000300-GPOS-00118, SRG-OS-000424-GPOS-00188, SRG-OS-000481-GPOS-000481, RHEL-08-040110, 3.1.4, SV-230506r627750_rule |
| Description | Deactivating wireless network interfaces should prevent normal usage of the wireless
capability.
Configure the system to disable all wireless network interfaces with the following command: $ sudo nmcli radio all off |
| Rationale | The use of wireless networking can introduce many different attack vectors into
the organization's network. Common attack vectors such as malicious association
and ad hoc networks will allow an attacker to spoof a wireless access point
(AP), allowing validated systems to connect to the malicious AP and enabling the
attacker to monitor and record network traffic. These malicious APs can also
serve to create a man-in-the-middle attack or be used to create a denial of
service to valid network resources. |
Verify Group Who Owns Backup group File
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_group |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_groupowner_backup_etc_group:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83475-4 References: CCI-002223, AC-6 (1), SRG-OS-000480-GPOS-00227, 6.1.9 |
| Description | To properly set the group owner of /etc/group-, run the command: $ sudo chgrp root /etc/group- |
| Rationale | The /etc/group- file is a backup file of /etc/group, and as such,
it contains information regarding groups that are configured on the system.
Protection of this file is important for system security. |
Testing group ownership of /etc/group- oval:ssg-test_file_groupowner_backup_etc_group_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_backup_etc_group_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| /etc/group- | oval:ssg-symlink_file_groupowner_backup_etc_group_uid_0:ste:1 | oval:ssg-state_file_groupowner_backup_etc_group_gid_0_0:ste:1 |
Verify Group Who Owns Backup gshadow File
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_gshadow |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_groupowner_backup_etc_gshadow:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83535-5 References: CCI-002223, AC-6 (1), SRG-OS-000480-GPOS-00227, 6.1.10 |
| Description | To properly set the group owner of /etc/gshadow-, run the command: $ sudo chgrp root /etc/gshadow- |
| Rationale | The /etc/gshadow- file is a backup of /etc/gshadow, and as such,
it contains group password hashes. Protection of this file is critical for system security. |
Testing group ownership of /etc/gshadow- oval:ssg-test_file_groupowner_backup_etc_gshadow_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_backup_etc_gshadow_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| /etc/gshadow- | oval:ssg-symlink_file_groupowner_backup_etc_gshadow_uid_0:ste:1 | oval:ssg-state_file_groupowner_backup_etc_gshadow_gid_0_0:ste:1 |
Verify Group Who Owns Backup passwd File
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_passwd |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_groupowner_backup_etc_passwd:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83324-4 References: CCI-002223, AC-6 (1), SRG-OS-000480-GPOS-00227, 6.1.7 |
| Description | To properly set the group owner of /etc/passwd-, run the command: $ sudo chgrp root /etc/passwd- |
| Rationale | The /etc/passwd- file is a backup file of /etc/passwd, and as such,
it contains information about the users that are configured on the system.
Protection of this file is critical for system security. |
Testing group ownership of /etc/passwd- oval:ssg-test_file_groupowner_backup_etc_passwd_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_backup_etc_passwd_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| /etc/passwd- | oval:ssg-symlink_file_groupowner_backup_etc_passwd_uid_0:ste:1 | oval:ssg-state_file_groupowner_backup_etc_passwd_gid_0_0:ste:1 |
Verify User Who Owns Backup shadow File
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_shadow |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_groupowner_backup_etc_shadow:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83415-0 References: SRG-OS-000480-GPOS-00227, 6.1.8 |
| Description | To properly set the group owner of /etc/shadow-, run the command: $ sudo chgrp root /etc/shadow- |
| Rationale | The /etc/shadow- file is a backup file of /etc/shadow, and as such,
it contains the list of local system accounts and password hashes.
Protection of this file is critical for system security. |
Testing group ownership of /etc/shadow- oval:ssg-test_file_groupowner_backup_etc_shadow_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_backup_etc_shadow_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| /etc/shadow- | oval:ssg-symlink_file_groupowner_backup_etc_shadow_uid_0:ste:1 | oval:ssg-state_file_groupowner_backup_etc_shadow_gid_0_0:ste:1 |
Verify Group Who Owns group File
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_etc_group |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_groupowner_etc_group:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80796-6 References: 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227, 6.1.5 |
| Description | To properly set the group owner of /etc/group, run the command: $ sudo chgrp root /etc/group |
| Rationale | The /etc/group file contains information regarding groups that are configured
on the system. Protection of this file is important for system security. |
Testing group ownership of /etc/group oval:ssg-test_file_groupowner_etc_group_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_etc_group_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| /etc/group | oval:ssg-symlink_file_groupowner_etc_group_uid_0:ste:1 | oval:ssg-state_file_groupowner_etc_group_gid_0_0:ste:1 |
Verify Group Who Owns gshadow File
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_groupowner_etc_gshadow:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80797-4 References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 6.1.6 |
| Description | To properly set the group owner of /etc/gshadow, run the command: $ sudo chgrp root /etc/gshadow |
| Rationale | The /etc/gshadow file contains group password hashes. Protection of this file
is critical for system security. |
Testing group ownership of /etc/gshadow oval:ssg-test_file_groupowner_etc_gshadow_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_etc_gshadow_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| /etc/gshadow | oval:ssg-symlink_file_groupowner_etc_gshadow_uid_0:ste:1 | oval:ssg-state_file_groupowner_etc_gshadow_gid_0_0:ste:1 |
Verify Group Who Owns passwd File
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_groupowner_etc_passwd:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80798-2 References: 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227, 6.1.3 |
| Description | To properly set the group owner of /etc/passwd, run the command: $ sudo chgrp root /etc/passwd |
| Rationale | The /etc/passwd file contains information about the users that are configured on
the system. Protection of this file is critical for system security. |
Testing group ownership of /etc/passwd oval:ssg-test_file_groupowner_etc_passwd_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_etc_passwd_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| /etc/passwd | oval:ssg-symlink_file_groupowner_etc_passwd_uid_0:ste:1 | oval:ssg-state_file_groupowner_etc_passwd_gid_0_0:ste:1 |
Verify Group Who Owns shadow File
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_etc_shadow |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_groupowner_etc_shadow:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80799-0 References: 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227, 6.1.4 |
| Description | To properly set the group owner of /etc/shadow, run the command: $ sudo chgrp root /etc/shadow |
| Rationale | The /etc/shadow file stores password hashes. Protection of this file is
critical for system security. |
Testing group ownership of /etc/shadow oval:ssg-test_file_groupowner_etc_shadow_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_etc_shadow_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| /etc/shadow | oval:ssg-symlink_file_groupowner_etc_shadow_uid_0:ste:1 | oval:ssg-state_file_groupowner_etc_shadow_gid_0_0:ste:1 |
Verify User Who Owns Backup group File
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_backup_etc_group |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_owner_backup_etc_group:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83473-9 References: CCI-002223, AC-6 (1), SRG-OS-000480-GPOS-00227, 6.1.9 |
| Description | To properly set the owner of /etc/group-, run the command: $ sudo chown root /etc/group- |
| Rationale | The /etc/group- file is a backup file of /etc/group, and as such,
it contains information regarding groups that are configured on the system.
Protection of this file is important for system security. |
Testing user ownership of /etc/group- oval:ssg-test_file_owner_backup_etc_group_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_backup_etc_group_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| /etc/group- | oval:ssg-symlink_file_owner_backup_etc_group_uid_0:ste:1 | oval:ssg-state_file_owner_backup_etc_group_uid_0_0:ste:1 |
Verify User Who Owns Backup gshadow File
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_backup_etc_gshadow |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_owner_backup_etc_gshadow:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83533-0 References: CCI-002223, AC-6 (1), SRG-OS-000480-GPOS-00227, 6.1.10 |
| Description | To properly set the owner of /etc/gshadow-, run the command: $ sudo chown root /etc/gshadow- |
| Rationale | The /etc/gshadow- file is a backup of /etc/gshadow, and as such,
it contains group password hashes. Protection of this file is critical for system security. |
Testing user ownership of /etc/gshadow- oval:ssg-test_file_owner_backup_etc_gshadow_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_backup_etc_gshadow_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| /etc/gshadow- | oval:ssg-symlink_file_owner_backup_etc_gshadow_uid_0:ste:1 | oval:ssg-state_file_owner_backup_etc_gshadow_uid_0_0:ste:1 |
Verify User Who Owns Backup passwd File
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_backup_etc_passwd |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_owner_backup_etc_passwd:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83326-9 References: CCI-002223, AC-6 (1), SRG-OS-000480-GPOS-00227, 6.1.7 |
| Description | To properly set the owner of /etc/passwd-, run the command: $ sudo chown root /etc/passwd- |
| Rationale | The /etc/passwd- file is a backup file of /etc/passwd, and as such,
it contains information about the users that are configured on the system.
Protection of this file is critical for system security. |
Testing user ownership of /etc/passwd- oval:ssg-test_file_owner_backup_etc_passwd_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_backup_etc_passwd_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| /etc/passwd- | oval:ssg-symlink_file_owner_backup_etc_passwd_uid_0:ste:1 | oval:ssg-state_file_owner_backup_etc_passwd_uid_0_0:ste:1 |
Verify Group Who Owns Backup shadow File
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_backup_etc_shadow |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_owner_backup_etc_shadow:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83413-5 References: CCI-002223, AC-6 (1), SRG-OS-000480-GPOS-00227, 6.1.8 |
| Description | To properly set the owner of /etc/shadow-, run the command: $ sudo chown root /etc/shadow- |
| Rationale | The /etc/shadow- file is a backup file of /etc/shadow, and as such,
it contains the list of local system accounts and password hashes.
Protection of this file is critical for system security. |
Testing user ownership of /etc/shadow- oval:ssg-test_file_owner_backup_etc_shadow_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_backup_etc_shadow_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| /etc/shadow- | oval:ssg-symlink_file_owner_backup_etc_shadow_uid_0:ste:1 | oval:ssg-state_file_owner_backup_etc_shadow_uid_0_0:ste:1 |
Verify User Who Owns group File
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_etc_group |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_owner_etc_group:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80801-4 References: 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227, 6.1.5 |
| Description | To properly set the owner of /etc/group, run the command: $ sudo chown root /etc/group |
| Rationale | The /etc/group file contains information regarding groups that are configured
on the system. Protection of this file is important for system security. |
Testing user ownership of /etc/group oval:ssg-test_file_owner_etc_group_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_etc_group_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| /etc/group | oval:ssg-symlink_file_owner_etc_group_uid_0:ste:1 | oval:ssg-state_file_owner_etc_group_uid_0_0:ste:1 |
Verify User Who Owns gshadow File
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_etc_gshadow |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_owner_etc_gshadow:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80802-2 References: BP28(R36), 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 6.1.6 |
| Description | To properly set the owner of /etc/gshadow, run the command: $ sudo chown root /etc/gshadow |
| Rationale | The /etc/gshadow file contains group password hashes. Protection of this file
is critical for system security. |
Testing user ownership of /etc/gshadow oval:ssg-test_file_owner_etc_gshadow_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_etc_gshadow_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| /etc/gshadow | oval:ssg-symlink_file_owner_etc_gshadow_uid_0:ste:1 | oval:ssg-state_file_owner_etc_gshadow_uid_0_0:ste:1 |
Verify User Who Owns passwd File
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_etc_passwd |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_owner_etc_passwd:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80803-0 References: 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227, 6.1.3 |
| Description | To properly set the owner of /etc/passwd, run the command: $ sudo chown root /etc/passwd |
| Rationale | The /etc/passwd file contains information about the users that are configured on
the system. Protection of this file is critical for system security. |
Testing user ownership of /etc/passwd oval:ssg-test_file_owner_etc_passwd_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_etc_passwd_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| /etc/passwd | oval:ssg-symlink_file_owner_etc_passwd_uid_0:ste:1 | oval:ssg-state_file_owner_etc_passwd_uid_0_0:ste:1 |
Verify User Who Owns shadow File
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_etc_shadow |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_owner_etc_shadow:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80804-8 References: BP28(R36), 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227, 6.1.4 |
| Description | To properly set the owner of /etc/shadow, run the command: $ sudo chown root /etc/shadow |
| Rationale | The /etc/shadow file contains the list of local
system accounts and stores password hashes. Protection of this file is
critical for system security. Failure to give ownership of this file
to root provides the designated owner with access to sensitive information
which could weaken the system security posture. |
Testing user ownership of /etc/shadow oval:ssg-test_file_owner_etc_shadow_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_etc_shadow_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| /etc/shadow | oval:ssg-symlink_file_owner_etc_shadow_uid_0:ste:1 | oval:ssg-state_file_owner_etc_shadow_uid_0_0:ste:1 |
Verify that All World-Writable Directories Have Sticky Bits Set
| Rule ID | xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-dir_perms_world_writable_sticky_bits:def:1 |
| Time | 2022-11-07T15:05:20+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80783-4 References: BP28(R40), 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-001090, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000138-GPOS-00069, RHEL-08-010190, 6.1.2, SV-230243r792857_rule |
| Description | When the so-called 'sticky bit' is set on a directory,
only the owner of a given file may remove that file from the
directory. Without the sticky bit, any user with write access to a
directory may remove any file in the directory. Setting the sticky
bit prevents users from removing each other's files. In cases where
there is no reason for a directory to be world-writable, a better
solution is to remove that permission rather than to set the sticky
bit. However, if a directory is used by a particular application,
consult that application's documentation instead of blindly
changing modes.
To set the sticky bit on a world-writable directory DIR, run the following command: $ sudo chmod +t DIR |
| Rationale | Failing to set the sticky bit on public directories allows unauthorized
users to delete files in the directory structure.
The only authorized public directories are those temporary directories supplied with the system, or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system, by users for temporary file storage (such as /tmp), and
for directories requiring global read/write access. |
all local world-writable directories have sticky bit set oval:ssg-test_dir_perms_world_writable_sticky_bits:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_only_local_directories:obj:1 of type file_object
| Behaviors | Path | Filename | Filter |
|---|---|---|---|
| no value | / | no value | oval:ssg-state_world_writable_and_not_sticky:ste:1 |
Ensure All Files Are Owned by a User
| Rule ID | xccdf_org.ssgproject.content_rule_no_files_unowned_by_user |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-no_files_unowned_by_user:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83499-4 References: 11, 12, 13, 14, 15, 16, 18, 3, 5, 9, APO01.06, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, CCI-000366, CCI-002165, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.AC-6, PR.DS-5, PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-010780, 6.1.12, SV-230326r627750_rule |
| Description | If any files are not owned by a user, then the
cause of their lack of ownership should be investigated.
Following this, the files should be deleted or assigned to an
appropriate user. The following command will discover and print
any files on local partitions which do not belong to a valid user:
$ df --local -P | awk {'if (NR!=1) print $6'} | sudo xargs -I '{}' find '{}' -xdev -nouser
To search all filesystems on a system including network mounted
filesystems the following command can be run manually for each partition:
$ sudo find PARTITION -xdev -nouser |
| Rationale | Unowned files do not directly imply a security problem, but they are generally
a sign that something is amiss. They may
be caused by an intruder, by incorrect software installation or
draft software removal, or by failure to remove all files belonging
to a deleted account. The files should be repaired so they
will not cause problems when accounts are created in the future,
and the cause should be discovered and addressed. |
| Warnings | warning
For this rule to evaluate centralized user accounts, getent must be working properly
so that running the command getent passwdreturns a list of all users in your organization. If using the System Security Services Daemon (SSSD), enumerate = truemust be configured in your organization's domain to return a complete list of users warning
Enabling this rule will result in slower scan times depending on the size of your organization
and number of centralized users. |
Check user ids on all files on the system oval:ssg-no_files_unowned_by_user_test:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-file_permissions_unowned_object:obj:1 of type file_object
| Behaviors | Path | Filename | Filter |
|---|---|---|---|
| no value | / | .* | oval:ssg-file_permissions_unowned_userid_list_match:ste:1 |
Disable the Automounter
| Rule ID | xccdf_org.ssgproject.content_rule_service_autofs_disabled |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-service_autofs_disabled:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80873-3 References: 1, 12, 15, 16, 5, APO13.01, DSS01.04, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.4.6, CCI-000366, CCI-000778, CCI-001958, 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.310(d)(1), 164.310(d)(2), 164.312(a)(1), 164.312(a)(2)(iv), 164.312(b), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.6, A.11.2.6, A.13.1.1, A.13.2.1, A.18.1.4, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, CM-7(a), CM-7(b), CM-6(a), MP-7, PR.AC-1, PR.AC-3, PR.AC-6, PR.AC-7, SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227, RHEL-08-040070, 1.1.9, SV-230502r627750_rule |
| Description | The autofs daemon mounts and unmounts filesystems, such as user
home directories shared via NFS, on demand. In addition, autofs can be used to handle
removable media, and the default configuration provides the cdrom device as /misc/cd.
However, this method of providing access to removable media is not common, so autofs
can almost always be disabled if NFS is not in use. Even if NFS is required, it may be
possible to configure filesystem mounts statically by editing /etc/fstab
rather than relying on the automounter.
The autofs service can be disabled with the following command:
$ sudo systemctl mask --now autofs.service |
| Rationale | Disabling the automounter permits the administrator to
statically control filesystem mounting through /etc/fstab.
Additionally, automatically mounting filesystems permits easy introduction of unknown devices, thereby facilitating malicious activity. |
package autofs is removed oval:ssg-test_service_autofs_package_autofs_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_service_autofs_package_autofs_removed:obj:1 of type rpminfo_object
| Name |
|---|
| autofs |
Test that the autofs service is not running oval:ssg-test_service_not_running_autofs:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_service_not_running_autofs:obj:1 of type systemdunitproperty_object
| Unit | Property |
|---|---|
| ^autofs\.(service|socket)$ | ActiveState |
Test that the property LoadState from the service autofs is masked oval:ssg-test_service_loadstate_is_masked_autofs:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_service_loadstate_is_masked_autofs:obj:1 of type systemdunitproperty_object
| Unit | Property |
|---|---|
| ^autofs\.(service|socket)$ | LoadState |
Disable Mounting of cramfs
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kernel_module_cramfs_disabled:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | low |
| Identifiers and References | Identifiers: CCE-81031-7 References: 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.4.6, CCI-000381, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000095-GPOS-00049, RHEL-08-040025, 1.1.1.1, SV-230498r792922_rule |
| Description |
To configure the system to prevent the cramfs
kernel module from being loaded, add the following line to the file /etc/modprobe.d/cramfs.conf:
install cramfs /bin/trueTo configure the system to prevent the cramfs from being used,
add the following line to file /etc/modprobe.d/cramfs.conf:
blacklist cramfsThis effectively prevents usage of this uncommon filesystem. The cramfs filesystem type is a compressed read-only
Linux filesystem embedded in small footprint systems. A
cramfs image can be used without having to first
decompress the image. |
| Rationale | Removing support for unneeded filesystem types reduces the local attack surface
of the server. |
kernel module cramfs blacklisted oval:ssg-test_kernmod_cramfs_blacklisted:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/modprobe.d/cramfs.conf | blacklist cramfs |
kernel module cramfs disabled oval:ssg-test_kernmod_cramfs_disabled:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/modprobe.d/cramfs.conf | install cramfs /bin/true |
Disable Mounting of squashfs
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_squashfs_disabled |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kernel_module_squashfs_disabled:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | low |
| Identifiers and References | Identifiers: CCE-83498-6 References: 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.4.6, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, 1.1.1.2 |
| Description |
To configure the system to prevent the squashfs
kernel module from being loaded, add the following line to the file /etc/modprobe.d/squashfs.conf:
install squashfs /bin/trueTo configure the system to prevent the squashfs from being used,
add the following line to file /etc/modprobe.d/squashfs.conf:
blacklist squashfsThis effectively prevents usage of this uncommon filesystem. The squashfs filesystem type is a compressed read-only Linux
filesystem embedded in small footprint systems (similar to
cramfs). A squashfs image can be used without having
to first decompress the image. |
| Rationale | Removing support for unneeded filesystem types reduces the local attack
surface of the system. |
kernel module squashfs blacklisted oval:ssg-test_kernmod_squashfs_blacklisted:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/modprobe.d/squashfs.conf | blacklist squashfs |
kernel module squashfs disabled oval:ssg-test_kernmod_squashfs_disabled:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/modprobe.d/squashfs.conf | install squashfs /bin/true |
Disable Mounting of udf
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_udf_disabled |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kernel_module_udf_disabled:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | low |
| Identifiers and References | Identifiers: CCE-82729-5 References: 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.4.6, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, 1.1.1.3 |
| Description |
To configure the system to prevent the udf
kernel module from being loaded, add the following line to the file /etc/modprobe.d/udf.conf:
install udf /bin/trueTo configure the system to prevent the udf from being used,
add the following line to file /etc/modprobe.d/udf.conf:
blacklist udfThis effectively prevents usage of this uncommon filesystem. The udf filesystem type is the universal disk format
used to implement the ISO/IEC 13346 and ECMA-167 specifications.
This is an open vendor filesystem type for data storage on a broad
range of media. This filesystem type is neccessary to support
writing DVDs and newer optical disc formats. |
| Rationale | Removing support for unneeded filesystem types reduces the local
attack surface of the system. |
kernel module udf blacklisted oval:ssg-test_kernmod_udf_blacklisted:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/modprobe.d/udf.conf | blacklist udf |
kernel module udf disabled oval:ssg-test_kernmod_udf_disabled:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/modprobe.d/udf.conf | install udf /bin/true |
Disable Modprobe Loading of USB Storage Driver
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-kernel_module_usb-storage_disabled:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80835-2 References: 1, 12, 15, 16, 5, APO13.01, DSS01.04, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.1.21, CCI-000366, CCI-000778, CCI-001958, 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.310(d)(1), 164.310(d)(2), 164.312(a)(1), 164.312(a)(2)(iv), 164.312(b), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.6, A.11.2.6, A.13.1.1, A.13.2.1, A.18.1.4, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, CM-7(a), CM-7(b), CM-6(a), MP-7, PR.AC-1, PR.AC-3, PR.AC-6, PR.AC-7, SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227, RHEL-08-040080, 1.1.10, SV-230503r809319_rule |
| Description | To prevent USB storage devices from being used, configure the kernel module loading system
to prevent automatic loading of the USB storage driver.
To configure the system to prevent the usb-storage
kernel module from being loaded, add the following line to the file /etc/modprobe.d/usb-storage.conf:
install usb-storage /bin/trueTo configure the system to prevent the usb-storage from being used,
add the following line to file /etc/modprobe.d/usb-storage.conf:
blacklist usb-storageThis will prevent the modprobe program from loading the usb-storage
module, but will not prevent an administrator (or another program) from using the
insmod program to load the module manually. |
| Rationale | USB storage devices such as thumb drives can be used to introduce
malicious software. |
kernel module usb-storage blacklisted oval:ssg-test_kernmod_usb-storage_blacklisted:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/modprobe.d/usb-storage.conf | blacklist usb-storage |
kernel module usb-storage disabled oval:ssg-test_kernmod_usb-storage_disabled:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/modprobe.d/usb-storage.conf | install usb-storage /bin/true |
Add nodev Option to /dev/shm
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-mount_option_dev_shm_nodev:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80837-8 References: 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-001764, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040120, 1.1.8.1, SV-230508r627750_rule |
| Description | The nodev mount option can be used to prevent creation of device
files in /dev/shm. Legitimate character and block devices should
not exist within temporary directories like /dev/shm.
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
/dev/shm. |
| Rationale | The only legitimate location for device files is the /dev directory
located on the root partition. The only exception to this is chroot jails. |
nodev on /dev/shm optional no oval:ssg-test_dev_shm_partition_nodev_optional_no:tst:1 true
Following items have been found on the system:
| Mount point | Device | Uuid | Fs type | Mount options | Mount options | Mount options | Mount options | Mount options | Total space | Space used | Space left |
|---|---|---|---|---|---|---|---|---|---|---|---|
| /dev/shm | tmpfs | tmpfs | rw | seclabel | nosuid | nodev | noexec | 478209 | 0 | 478209 |
/dev/shm exists oval:ssg-test_dev_shm_no_partition_nodev_optional_no:tst:1 true
Following items have been found on the system:
| Mount point | Device | Uuid | Fs type | Mount options | Mount options | Mount options | Mount options | Mount options | Total space | Space used | Space left |
|---|---|---|---|---|---|---|---|---|---|---|---|
| /dev/shm | tmpfs | tmpfs | rw | seclabel | nosuid | nodev | noexec | 478209 | 0 | 478209 |
Add noexec Option to /dev/shm
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-mount_option_dev_shm_noexec:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80838-6 References: 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-001764, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040122, 1.1.8.2, SV-230510r627750_rule |
| Description | The noexec mount option can be used to prevent binaries
from being executed out of /dev/shm.
It can be dangerous to allow the execution of binaries
from world-writable temporary storage directories such as /dev/shm.
Add the noexec option to the fourth column of
/etc/fstab for the line which controls mounting of
/dev/shm. |
| Rationale | Allowing users to execute binaries from world-writable directories
such as /dev/shm can expose the system to potential compromise. |
noexec on /dev/shm optional no oval:ssg-test_dev_shm_partition_noexec_optional_no:tst:1 true
Following items have been found on the system:
| Mount point | Device | Uuid | Fs type | Mount options | Mount options | Mount options | Mount options | Mount options | Total space | Space used | Space left |
|---|---|---|---|---|---|---|---|---|---|---|---|
| /dev/shm | tmpfs | tmpfs | rw | seclabel | nosuid | nodev | noexec | 478209 | 0 | 478209 |
/dev/shm exists oval:ssg-test_dev_shm_no_partition_noexec_optional_no:tst:1 true
Following items have been found on the system:
| Mount point | Device | Uuid | Fs type | Mount options | Mount options | Mount options | Mount options | Mount options | Total space | Space used | Space left |
|---|---|---|---|---|---|---|---|---|---|---|---|
| /dev/shm | tmpfs | tmpfs | rw | seclabel | nosuid | nodev | noexec | 478209 | 0 | 478209 |
Add nosuid Option to /dev/shm
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-mount_option_dev_shm_nosuid:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80839-4 References: 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-001764, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040121, 1.1.8.3, SV-230509r627750_rule |
| Description | The nosuid mount option can be used to prevent execution
of setuid programs in /dev/shm. The SUID and SGID permissions should not
be required in these world-writable directories.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/dev/shm. |
| Rationale | The presence of SUID and SGID executables should be tightly controlled. Users
should not be able to execute SUID or SGID binaries from temporary storage partitions. |
nosuid on /dev/shm optional no oval:ssg-test_dev_shm_partition_nosuid_optional_no:tst:1 true
Following items have been found on the system:
| Mount point | Device | Uuid | Fs type | Mount options | Mount options | Mount options | Mount options | Mount options | Total space | Space used | Space left |
|---|---|---|---|---|---|---|---|---|---|---|---|
| /dev/shm | tmpfs | tmpfs | rw | seclabel | nosuid | nodev | noexec | 478209 | 0 | 478209 |
/dev/shm exists oval:ssg-test_dev_shm_no_partition_nosuid_optional_no:tst:1 true
Following items have been found on the system:
| Mount point | Device | Uuid | Fs type | Mount options | Mount options | Mount options | Mount options | Mount options | Total space | Space used | Space left |
|---|---|---|---|---|---|---|---|---|---|---|---|
| /dev/shm | tmpfs | tmpfs | rw | seclabel | nosuid | nodev | noexec | 478209 | 0 | 478209 |
Add nodev Option to /home
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_home_nodev |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-mount_option_home_nodev:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | unknown |
| Identifiers and References | Identifiers: CCE-81048-1 References: BP28(R12), SRG-OS-000368-GPOS-00154, 1.1.7.2 |
| Description | The nodev mount option can be used to prevent device files from
being created in /home.
Legitimate character and block devices should exist only in
the /dev directory on the root partition or within chroot
jails built for system services.
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
/home. |
| Rationale | The only legitimate location for device files is the /dev directory
located on the root partition. The only exception to this is chroot jails. |
nodev on /home optional yes oval:ssg-test_home_partition_nodev_optional_yes:tst:1 true
Following items have been found on the system:
| Mount point | Device | Uuid | Fs type | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Total space | Space used | Space left |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| /home | /dev/mapper/rootvg-homelv | 841c3ec8-e576-405d-80ff-4ae2bf8883ad | xfs | rw | seclabel | nosuid | nodev | relatime | attr2 | inode64 | logbufs=8 | logbsize=32k | noquota | bind | 259584 | 46637 | 212947 |
Add nosuid Option to /home
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_home_nosuid |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-mount_option_home_nosuid:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-81050-7 References: BP28(R12), 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00227, RHEL-08-010570, 1.1.7.3, SV-230299r627750_rule |
| Description | The nosuid mount option can be used to prevent
execution of setuid programs in /home. The SUID and SGID permissions
should not be required in these user data directories.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/home. |
| Rationale | The presence of SUID and SGID executables should be tightly controlled. Users
should not be able to execute SUID or SGID binaries from user home directory partitions. |
nosuid on /home optional yes oval:ssg-test_home_partition_nosuid_optional_yes:tst:1 true
Following items have been found on the system:
| Mount point | Device | Uuid | Fs type | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Total space | Space used | Space left |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| /home | /dev/mapper/rootvg-homelv | 841c3ec8-e576-405d-80ff-4ae2bf8883ad | xfs | rw | seclabel | nosuid | nodev | relatime | attr2 | inode64 | logbufs=8 | logbsize=32k | noquota | bind | 259584 | 46637 | 212947 |
Add nodev Option to /tmp
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-mount_option_tmp_nodev:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82623-0 References: BP28(R12), 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-001764, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040123, 1.1.2.2, SV-230511r627750_rule |
| Description | The nodev mount option can be used to prevent device files from
being created in /tmp. Legitimate character and block devices
should not exist within temporary directories like /tmp.
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
/tmp. |
| Rationale | The only legitimate location for device files is the /dev directory
located on the root partition. The only exception to this is chroot jails. |
nodev on /tmp optional yes oval:ssg-test_tmp_partition_nodev_optional_yes:tst:1 true
Following items have been found on the system:
| Mount point | Device | Uuid | Fs type | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Total space | Space used | Space left |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| /tmp | /dev/mapper/rootvg-tmplv | 10a53d6f-3d9b-403a-a691-083632225621 | xfs | rw | seclabel | nosuid | nodev | noexec | relatime | attr2 | inode64 | logbufs=8 | logbsize=32k | noquota | bind | 521728 | 24692 | 497036 |
Add noexec Option to /tmp
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-mount_option_tmp_noexec:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82139-7 References: BP28(R12), 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-001764, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040125, 1.1.2.3, SV-230513r627750_rule |
| Description | The noexec mount option can be used to prevent binaries
from being executed out of /tmp.
Add the noexec option to the fourth column of
/etc/fstab for the line which controls mounting of
/tmp. |
| Rationale | Allowing users to execute binaries from world-writable directories
such as /tmp should never be necessary in normal operation and
can expose the system to potential compromise. |
noexec on /tmp optional yes oval:ssg-test_tmp_partition_noexec_optional_yes:tst:1 true
Following items have been found on the system:
| Mount point | Device | Uuid | Fs type | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Total space | Space used | Space left |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| /tmp | /dev/mapper/rootvg-tmplv | 10a53d6f-3d9b-403a-a691-083632225621 | xfs | rw | seclabel | nosuid | nodev | noexec | relatime | attr2 | inode64 | logbufs=8 | logbsize=32k | noquota | bind | 521728 | 24692 | 497036 |
Add nosuid Option to /tmp
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-mount_option_tmp_nosuid:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82140-5 References: BP28(R12), 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-001764, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040124, 1.1.2.4, SV-230512r627750_rule |
| Description | The nosuid mount option can be used to prevent
execution of setuid programs in /tmp. The SUID and SGID permissions
should not be required in these world-writable directories.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/tmp. |
| Rationale | The presence of SUID and SGID executables should be tightly controlled. Users
should not be able to execute SUID or SGID binaries from temporary storage partitions. |
nosuid on /tmp optional yes oval:ssg-test_tmp_partition_nosuid_optional_yes:tst:1 true
Following items have been found on the system:
| Mount point | Device | Uuid | Fs type | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Total space | Space used | Space left |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| /tmp | /dev/mapper/rootvg-tmplv | 10a53d6f-3d9b-403a-a691-083632225621 | xfs | rw | seclabel | nosuid | nodev | noexec | relatime | attr2 | inode64 | logbufs=8 | logbsize=32k | noquota | bind | 521728 | 24692 | 497036 |
Add nodev Option to /var/log/audit
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nodev |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-mount_option_var_log_audit_nodev:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82080-3 References: CCI-001764, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040129, 1.1.6.3, SV-230517r627750_rule |
| Description | The nodev mount option can be used to prevent device files from
being created in /var/log/audit.
Legitimate character and block devices should exist only in
the /dev directory on the root partition or within chroot
jails built for system services.
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/log/audit. |
| Rationale | The only legitimate location for device files is the /dev directory
located on the root partition. The only exception to this is chroot jails. |
nodev on /var/log/audit optional yes oval:ssg-test_var_log_audit_partition_nodev_optional_yes:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_var_log_audit_partition_nodev_optional_yes:obj:1 of type partition_object
| Mount point |
|---|
| /var/log/audit |
Add noexec Option to /var/log/audit
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_noexec |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-mount_option_var_log_audit_noexec:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82975-4 References: CCI-001764, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040131, 1.1.6.2, SV-230519r627750_rule |
| Description | The noexec mount option can be used to prevent binaries
from being executed out of /var/log/audit.
Add the noexec option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/log/audit. |
| Rationale | Allowing users to execute binaries from directories containing audit log files
such as /var/log/audit should never be necessary in normal operation and
can expose the system to potential compromise. |
noexec on /var/log/audit optional yes oval:ssg-test_var_log_audit_partition_noexec_optional_yes:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_var_log_audit_partition_noexec_optional_yes:obj:1 of type partition_object
| Mount point |
|---|
| /var/log/audit |
Add nosuid Option to /var/log/audit
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nosuid |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-mount_option_var_log_audit_nosuid:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82921-8 References: CCI-001764, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040130, 1.1.6.4, SV-230518r627750_rule |
| Description | The nosuid mount option can be used to prevent
execution of setuid programs in /var/log/audit. The SUID and SGID permissions
should not be required in directories containing audit log files.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/log/audit. |
| Rationale | The presence of SUID and SGID executables should be tightly controlled. Users
should not be able to execute SUID or SGID binaries from partitions
designated for audit log files. |
nosuid on /var/log/audit optional yes oval:ssg-test_var_log_audit_partition_nosuid_optional_yes:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_var_log_audit_partition_nosuid_optional_yes:obj:1 of type partition_object
| Mount point |
|---|
| /var/log/audit |
Add nodev Option to /var/log
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_log_nodev |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-mount_option_var_log_nodev:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82077-9 References: CCI-001764, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040126, 1.1.5.2, SV-230514r627750_rule |
| Description | The nodev mount option can be used to prevent device files from
being created in /var/log.
Legitimate character and block devices should exist only in
the /dev directory on the root partition or within chroot
jails built for system services.
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/log. |
| Rationale | The only legitimate location for device files is the /dev directory
located on the root partition. The only exception to this is chroot jails. |
nodev on /var/log optional yes oval:ssg-test_var_log_partition_nodev_optional_yes:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_var_log_partition_nodev_optional_yes:obj:1 of type partition_object
| Mount point |
|---|
| /var/log |
Add noexec Option to /var/log
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_log_noexec |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-mount_option_var_log_noexec:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82008-4 References: BP28(R12), CCI-001764, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040128, 1.1.5.3, SV-230516r627750_rule |
| Description | The noexec mount option can be used to prevent binaries
from being executed out of /var/log.
Add the noexec option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/log. |
| Rationale | Allowing users to execute binaries from directories containing log files
such as /var/log should never be necessary in normal operation and
can expose the system to potential compromise. |
noexec on /var/log optional yes oval:ssg-test_var_log_partition_noexec_optional_yes:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_var_log_partition_noexec_optional_yes:obj:1 of type partition_object
| Mount point |
|---|
| /var/log |
Add nosuid Option to /var/log
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_log_nosuid |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-mount_option_var_log_nosuid:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82065-4 References: BP28(R12), CCI-001764, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040127, 1.1.5.4, SV-230515r627750_rule |
| Description | The nosuid mount option can be used to prevent
execution of setuid programs in /var/log. The SUID and SGID permissions
should not be required in directories containing log files.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/log. |
| Rationale | The presence of SUID and SGID executables should be tightly controlled. Users
should not be able to execute SUID or SGID binaries from partitions
designated for log files. |
nosuid on /var/log optional yes oval:ssg-test_var_log_partition_nosuid_optional_yes:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_var_log_partition_nosuid_optional_yes:obj:1 of type partition_object
| Mount point |
|---|
| /var/log |
Add nodev Option to /var
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_nodev |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-mount_option_var_nodev:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82062-1 References: CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, 1.1.3.2 |
| Description | The nodev mount option can be used to prevent device files from
being created in /var.
Legitimate character and block devices should exist only in
the /dev directory on the root partition or within chroot
jails built for system services.
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
/var. |
| Rationale | The only legitimate location for device files is the /dev directory
located on the root partition. The only exception to this is chroot jails. |
nodev on /var optional yes oval:ssg-test_var_partition_nodev_optional_yes:tst:1 true
Following items have been found on the system:
| Mount point | Device | Uuid | Fs type | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Total space | Space used | Space left |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| /var | /dev/mapper/rootvg-varlv | 2e953a84-ce4d-4d23-9527-029c4011938c | xfs | rw | seclabel | nosuid | nodev | noexec | relatime | attr2 | inode64 | logbufs=8 | logbsize=32k | noquota | bind | 2094592 | 145268 | 1949324 |
Add noexec Option to /var
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_noexec |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-mount_option_var_noexec:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83330-1 |
| Description | The noexec mount option can be used to prevent binaries from being
executed out of /var.
Add the noexec option to the fourth column of
/etc/fstab for the line which controls mounting of
/var. |
| Rationale | The /var directory contains variable system data such as logs,
mails and caches. No binaries should be executed from this directory. |
noexec on /var optional yes oval:ssg-test_var_partition_noexec_optional_yes:tst:1 true
Following items have been found on the system:
| Mount point | Device | Uuid | Fs type | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Total space | Space used | Space left |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| /var | /dev/mapper/rootvg-varlv | 2e953a84-ce4d-4d23-9527-029c4011938c | xfs | rw | seclabel | nosuid | nodev | noexec | relatime | attr2 | inode64 | logbufs=8 | logbsize=32k | noquota | bind | 2094592 | 145268 | 1949324 |
Add nosuid Option to /var
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_nosuid |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-mount_option_var_nosuid:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | unknown |
| Identifiers and References | Identifiers: CCE-83383-0 |
| Description | The nosuid mount option can be used to prevent
execution of setuid programs in /var. The SUID and SGID permissions
should not be required for this directory.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/var. |
| Rationale | The presence of SUID and SGID executables should be tightly controlled. |
nosuid on /var optional yes oval:ssg-test_var_partition_nosuid_optional_yes:tst:1 true
Following items have been found on the system:
| Mount point | Device | Uuid | Fs type | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Mount options | Total space | Space used | Space left |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| /var | /dev/mapper/rootvg-varlv | 2e953a84-ce4d-4d23-9527-029c4011938c | xfs | rw | seclabel | nosuid | nodev | noexec | relatime | attr2 | inode64 | logbufs=8 | logbsize=32k | noquota | bind | 2094592 | 145268 | 1949324 |
Add nodev Option to /var/tmp
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nodev |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82068-8 References: BP28(R12), CCI-001764, SRG-OS-000368-GPOS-00154, RHEL-08-040132, 1.1.4.4, SV-230520r792927_rule |
| Description | The nodev mount option can be used to prevent device files from
being created in /var/tmp. Legitimate character and block devices
should not exist within temporary directories like /var/tmp.
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/tmp. |
| Rationale | The only legitimate location for device files is the /dev directory
located on the root partition. The only exception to this is chroot jails. |
Add noexec Option to /var/tmp
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82151-2 References: BP28(R12), CCI-001764, SRG-OS-000368-GPOS-00154, RHEL-08-040134, 1.1.4.2, SV-230522r792933_rule |
| Description | The noexec mount option can be used to prevent binaries
from being executed out of /var/tmp.
Add the noexec option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/tmp. |
| Rationale | Allowing users to execute binaries from world-writable directories
such as /var/tmp should never be necessary in normal operation and
can expose the system to potential compromise. |
Add nosuid Option to /var/tmp
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nosuid |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82154-6 References: BP28(R12), CCI-001764, SRG-OS-000368-GPOS-00154, RHEL-08-040133, 1.1.4.3, SV-230521r792930_rule |
| Description | The nosuid mount option can be used to prevent
execution of setuid programs in /var/tmp. The SUID and SGID permissions
should not be required in these world-writable directories.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/tmp. |
| Rationale | The presence of SUID and SGID executables should be tightly controlled. Users
should not be able to execute SUID or SGID binaries from temporary storage partitions. |
Disable core dump backtraces
| Rule ID | xccdf_org.ssgproject.content_rule_coredump_disable_backtraces |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-coredump_disable_backtraces:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82251-0 References: CCI-000366, CM-6, FMT_SMF_EXT.1, SRG-OS-000480-GPOS-00227, RHEL-08-010675, 1.5.2, SV-230315r627750_rule |
| Description | The ProcessSizeMax option in [Coredump] section
of /etc/systemd/coredump.conf
specifies the maximum size in bytes of a core which will be processed.
Core dumps exceeding this size may be stored, but the backtrace will not
be generated. |
| Rationale | A core dump includes a memory image taken at the time the operating system
terminates an application. The memory image could contain sensitive data
and is generally useful only for developers or system operators trying to
debug problems.
Enabling core dumps on production systems is not recommended,
however there may be overriding operational requirements to enable advanced
debuging. Permitting temporary enablement of core dumps during such situations
should be reviewed through local needs and policy. |
| Warnings | warning
If the /etc/systemd/coredump.conf file
does not already contain the [Coredump] section,
the value will not be configured correctly. |
tests the value of ProcessSizeMax setting in the /etc/systemd/coredump.conf file oval:ssg-test_coredump_disable_backtraces:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/systemd/coredump.conf | [Coredump] #Storage=external #Compress=yes #ProcessSizeMax=2G #ExternalSizeMax=2G #JournalSizeMax=767M #MaxUse= #KeepFree= ProcessSizeMax=0 |
Disable storing core dump
| Rule ID | xccdf_org.ssgproject.content_rule_coredump_disable_storage |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-coredump_disable_storage:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82252-8 References: CCI-000366, CM-6, FMT_SMF_EXT.1, SRG-OS-000480-GPOS-00227, RHEL-08-010674, 1.5.1, SV-230314r627750_rule |
| Description | The Storage option in [Coredump] section
of /etc/systemd/coredump.conf
can be set to none to disable storing core dumps permanently. |
| Rationale | A core dump includes a memory image taken at the time the operating system
terminates an application. The memory image could contain sensitive data
and is generally useful only for developers or system operators trying to
debug problems. Enabling core dumps on production systems is not recommended,
however there may be overriding operational requirements to enable advanced
debuging. Permitting temporary enablement of core dumps during such situations
should be reviewed through local needs and policy. |
| Warnings | warning
If the /etc/systemd/coredump.conf file
does not already contain the [Coredump] section,
the value will not be configured correctly. |
tests the value of Storage setting in the /etc/systemd/coredump.conf file oval:ssg-test_coredump_disable_storage:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/systemd/coredump.conf | [Coredump] #Storage=external #Compress=yes #ProcessSizeMax=2G #ExternalSizeMax=2G #JournalSizeMax=767M #MaxUse= #KeepFree= ProcessSizeMax=0 Storage=none |
Enable Randomized Layout of Virtual Address Space
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sysctl_kernel_randomize_va_space:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80916-0 References: BP28(R23), 3.1.7, CCI-000366, CCI-002824, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), CIP-002-5 R1.1, CIP-002-5 R1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 4.1, CIP-004-6 4.2, CIP-004-6 R2.2.3, CIP-004-6 R2.2.4, CIP-004-6 R2.3, CIP-004-6 R4, CIP-005-6 R1, CIP-005-6 R1.1, CIP-005-6 R1.2, CIP-007-3 R3, CIP-007-3 R3.1, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, CIP-007-3 R8.4, CIP-009-6 R.1.1, CIP-009-6 R4, SC-30, SC-30(2), CM-6(a), SRG-OS-000433-GPOS-00193, SRG-OS-000480-GPOS-00227, RHEL-08-010430, 1.5.3, SV-230280r833303_rule |
| Description | To set the runtime status of the kernel.randomize_va_space kernel parameter, run the following command: $ sudo sysctl -w kernel.randomize_va_space=2To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.randomize_va_space = 2 |
| Rationale | Address space layout randomization (ASLR) makes it more difficult for an
attacker to predict the location of attack code they have introduced into a
process's address space during an attempt at exploitation. Additionally,
ASLR makes it more difficult for an attacker to know the location of
existing code in order to re-purpose it using return oriented programming
(ROP) techniques. |
kernel.randomize_va_space static configuration oval:ssg-test_sysctl_kernel_randomize_va_space_static:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/sysctl.conf | kernel.randomize_va_space=2 |
kernel.randomize_va_space static configuration in /etc/sysctl.d/*.conf oval:ssg-test_sysctl_kernel_randomize_va_space_static_etc_sysctld:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/sysctl.d/99-sysctl.conf | kernel.randomize_va_space=2 |
kernel.randomize_va_space static configuration in /run/sysctl.d/*.conf oval:ssg-test_sysctl_kernel_randomize_va_space_static_run_sysctld:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_kernel_randomize_va_space:obj:1 of type textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|---|---|---|
| /run/sysctl.d | ^.*\.conf$ | ^[\s]*kernel.randomize_va_space[\s]*=[\s]*(.*)[\s]*$ | 1 |
Check that only one file contains kernel_randomize_va_space oval:ssg-test_sysctl_kernel_randomize_va_space_defined_in_one_file:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-local_var_sysctl_kernel_randomize_va_space_counter:var:1 | 1 |
kernel runtime parameter kernel.randomize_va_space set to 2 oval:ssg-test_sysctl_kernel_randomize_va_space_runtime:tst:1 true
Following items have been found on the system:
| Name | Value |
|---|---|
| kernel.randomize_va_space | 2 |
Install libselinux Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_libselinux_installed |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_libselinux_installed:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | high |
| Identifiers and References | Identifiers: CCE-82877-2 References: 1.6.1.1 |
| Description | The libselinux package can be installed with the following command:
$ sudo yum install libselinux |
| Rationale | Security-enhanced Linux is a feature of the Linux kernel and a number of utilities
with enhanced security functionality designed to add mandatory access controls to Linux.
The libselinux package contains the core library of the Security-enhanced Linux system. |
package libselinux is installed oval:ssg-test_package_libselinux_installed:tst:1 true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| libselinux | x86_64 | (none) | 5.el8 | 2.9 | 0:2.9-5.el8 | 199e2f91fd431d51 | libselinux-0:2.9-5.el8.x86_64 |
Uninstall mcstrans Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_mcstrans_removed |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_mcstrans_removed:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | low |
| Identifiers and References | Identifiers: CCE-82756-8 References: 1.6.1.8 |
| Description | The mcstransd daemon provides category label information
to client processes requesting information. The label translations are defined
in /etc/selinux/targeted/setrans.conf.
The mcstrans package can be removed with the following command:
$ sudo yum erase mcstrans |
| Rationale | Since this service is not used very often, disable it to reduce the
amount of potentially vulnerable code running on the system. |
package mcstrans is removed oval:ssg-test_package_mcstrans_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_mcstrans_removed:obj:1 of type rpminfo_object
| Name |
|---|
| mcstrans |
Uninstall setroubleshoot Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_setroubleshoot_removed |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_setroubleshoot_removed:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | low |
| Identifiers and References | Identifiers: CCE-82755-0 |
| Description | The SETroubleshoot service notifies desktop users of SELinux
denials. The service provides information around configuration errors,
unauthorized intrusions, and other potential errors.
The setroubleshoot package can be removed with the following command:
$ sudo yum erase setroubleshoot |
| Rationale | The SETroubleshoot service is an unnecessary daemon to
have running on a server, especially if
X Windows is removed or disabled. |
package setroubleshoot is removed oval:ssg-test_package_setroubleshoot_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_setroubleshoot_removed:obj:1 of type rpminfo_object
| Name |
|---|
| setroubleshoot |
Ensure SELinux Not Disabled in /etc/default/grub
check value selinux|enforcing=0 in /etc/default/grub, fail if found oval:ssg-test_selinux_default_grub:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_selinux_default_grub:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/default/grub | ^[\s]*GRUB_CMDLINE_LINUX.*(selinux|enforcing)=0.*$ | 1 |
check value selinux|enforcing=0 in /etc/grub2.cfg, fail if found oval:ssg-test_selinux_grub2_cfg:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_selinux_grub2_cfg:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/grub2.cfg | ^.*(selinux|enforcing)=0.*$ | 1 |
check value selinux|enforcing=0 in /etc/grub.d fail if found oval:ssg-test_selinux_grub_dir:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_selinux_grub_dir:obj:1 of type textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|---|---|---|
| /etc/grub.d | ^.*$ | ^.*(selinux|enforcing)=0.*$ | 1 |
Ensure No Daemons are Unconfined by SELinux
| Rule ID | xccdf_org.ssgproject.content_rule_selinux_confinement_of_daemons |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-selinux_confinement_of_daemons:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80867-5 References: 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, MEA02.01, 3.1.2, 3.1.5, 3.7.2, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-3(3)(a), AC-6, PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, PR.PT-3, 1.6.1.6 |
| Description | Daemons for which the SELinux policy does not contain rules will inherit the
context of the parent process. Because daemons are launched during
startup and descend from the init process, they inherit the unconfined_service_t context.
To check for unconfined daemons, run the following command: $ sudo ps -eZ | grep "unconfined_service_t"It should produce no output in a well-configured system. |
| Rationale | Daemons which run with the unconfined_service_t context may cause AVC denials,
or allow privileges that the daemon does not require. |
| Warnings | warning
Automatic remediation of this control is not available. Remediation
can be achieved by amending SELinux policy or stopping the unconfined
daemons as outlined above. |
none satisfy unconfined_service_t in /proc oval:ssg-test_selinux_confinement_of_daemons:tst:1 false
Following items have been found on the system:
| Filepath | Path | Filename | User | Role | Type | Low sensitivity | Rawlow sensitivity |
|---|---|---|---|---|---|---|---|
| /proc/1441/status | /proc/1441 | status | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1441/auxv | /proc/1441 | auxv | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1441/environ | /proc/1441 | environ | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1441/personality | /proc/1441 | personality | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1441/limits | /proc/1441 | limits | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1441/sched | /proc/1441 | sched | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1441/autogroup | /proc/1441 | autogroup | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1441/timens_offsets | /proc/1441 | timens_offsets | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1441/comm | /proc/1441 | comm | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1441/syscall | /proc/1441 | syscall | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1441/cmdline | /proc/1441 | cmdline | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1441/stat | /proc/1441 | stat | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1441/statm | /proc/1441 | statm | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1441/maps | /proc/1441 | maps | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1441/numa_maps | /proc/1441 | numa_maps | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1441/mem | /proc/1441 | mem | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1441/mountinfo | /proc/1441 | mountinfo | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1441/mounts | /proc/1441 | mounts | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1441/mountstats | /proc/1441 | mountstats | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1441/clear_refs | /proc/1441 | clear_refs | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1441/smaps | /proc/1441 | smaps | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1441/smaps_rollup | /proc/1441 | smaps_rollup | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1441/pagemap | /proc/1441 | pagemap | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1441/wchan | /proc/1441 | wchan | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1441/stack | /proc/1441 | stack | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1441/schedstat | /proc/1441 | schedstat | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1441/cpuset | /proc/1441 | cpuset | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1441/cgroup | /proc/1441 | cgroup | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1441/cpu_resctrl_groups | /proc/1441 | cpu_resctrl_groups | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1441/oom_score | /proc/1441 | oom_score | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1441/oom_adj | /proc/1441 | oom_adj | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1441/oom_score_adj | /proc/1441 | oom_score_adj | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1441/loginuid | /proc/1441 | loginuid | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1441/sessionid | /proc/1441 | sessionid | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1441/coredump_filter | /proc/1441 | coredump_filter | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1441/io | /proc/1441 | io | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1441/uid_map | /proc/1441 | uid_map | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1441/gid_map | /proc/1441 | gid_map | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1441/projid_map | /proc/1441 | projid_map | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1441/setgroups | /proc/1441 | setgroups | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1441/timers | /proc/1441 | timers | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1441/timerslack_ns | /proc/1441 | timerslack_ns | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/3457/mounts | /proc/3457 | mounts | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/1441/patch_state | /proc/1441 | patch_state | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/3457/environ | /proc/3457 | environ | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/3457/auxv | /proc/3457 | auxv | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/3457/status | /proc/3457 | status | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/3457/personality | /proc/3457 | personality | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/3457/limits | /proc/3457 | limits | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/3457/sched | /proc/3457 | sched | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/3457/autogroup | /proc/3457 | autogroup | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/3457/timens_offsets | /proc/3457 | timens_offsets | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/3457/comm | /proc/3457 | comm | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/3457/syscall | /proc/3457 | syscall | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/3457/cmdline | /proc/3457 | cmdline | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/3457/stat | /proc/3457 | stat | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/3457/statm | /proc/3457 | statm | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/3457/maps | /proc/3457 | maps | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/3457/numa_maps | /proc/3457 | numa_maps | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/3457/mem | /proc/3457 | mem | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/3457/mountinfo | /proc/3457 | mountinfo | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/3457/mountstats | /proc/3457 | mountstats | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/3457/clear_refs | /proc/3457 | clear_refs | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/3457/smaps | /proc/3457 | smaps | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/3457/smaps_rollup | /proc/3457 | smaps_rollup | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/3457/pagemap | /proc/3457 | pagemap | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/3457/wchan | /proc/3457 | wchan | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/3457/stack | /proc/3457 | stack | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/3457/schedstat | /proc/3457 | schedstat | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/3457/cpuset | /proc/3457 | cpuset | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/3457/cgroup | /proc/3457 | cgroup | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/3457/cpu_resctrl_groups | /proc/3457 | cpu_resctrl_groups | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/3457/oom_score | /proc/3457 | oom_score | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/3457/oom_adj | /proc/3457 | oom_adj | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/3457/oom_score_adj | /proc/3457 | oom_score_adj | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/3457/loginuid | /proc/3457 | loginuid | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/3457/sessionid | /proc/3457 | sessionid | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/3457/coredump_filter | /proc/3457 | coredump_filter | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/3457/io | /proc/3457 | io | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/3457/uid_map | /proc/3457 | uid_map | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/3457/gid_map | /proc/3457 | gid_map | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/3457/projid_map | /proc/3457 | projid_map | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/3457/setgroups | /proc/3457 | setgroups | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/3457/timers | /proc/3457 | timers | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/3457/timerslack_ns | /proc/3457 | timerslack_ns | system_u | system_r | unconfined_service_t | s0 | s0 |
| /proc/3457/patch_state | /proc/3457 | patch_state | system_u | system_r | unconfined_service_t | s0 | s0 |
Configure SELinux Policy
| Rule ID | xccdf_org.ssgproject.content_rule_selinux_policytype |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-selinux_policytype:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80868-3 References: BP28(R66), 1, 11, 12, 13, 14, 15, 16, 18, 3, 4, 5, 6, 8, 9, APO01.06, APO11.04, APO13.01, BAI03.05, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, MEA02.01, 3.1.2, 3.7.2, CCI-002165, CCI-002696, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), 4.2.3.4, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.2, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-004-6 R3.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, CIP-007-3 R6.5, AC-3, AC-3(3)(a), AU-9, SC-7(21), DE.AE-1, ID.AM-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.DS-5, PR.PT-1, PR.PT-3, PR.PT-4, SRG-OS-000445-GPOS-00199, SRG-OS-000445-VMM-001780, RHEL-08-010450, 1.6.1.3, SV-230282r627750_rule |
| Description | The SELinux targeted policy is appropriate for
general-purpose desktops and servers, as well as systems in many other roles.
To configure the system to use this policy, add or correct the following line
in /etc/selinux/config:
SELINUXTYPE=targetedOther policies, such as mls, provide additional security labeling
and greater confinement but are not compatible with many general-purpose
use cases. |
| Rationale | Setting the SELinux policy to targeted or a more specialized policy
ensures the system will confine processes that are likely to be
targeted for exploitation, such as network or system services.
Note: During the development or debugging of SELinux modules, it is common to temporarily place non-production systems in permissive mode. In such
temporary cases, SELinux policies should be developed, and once work
is completed, the system should be reconfigured to
targeted. |
Tests the value of the ^[\s]*SELINUXTYPE[\s]*=[\s]*([^#]*) expression in the /etc/selinux/config file oval:ssg-test_selinux_policy:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/selinux/config | SELINUXTYPE=targeted |
Ensure SELinux State is Enforcing
/selinux/enforce is 1 oval:ssg-test_etc_selinux_config:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/selinux/config | SELINUX=enforcing |
Ensure that /etc/at.deny does not exist
| Rule ID | xccdf_org.ssgproject.content_rule_file_at_deny_not_exist |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_at_deny_not_exist:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-86945-3 References: 5.1.9 |
| Description | The file /etc/at.deny should not exist.
Use /etc/at.allow instead. |
| Rationale | Access to at should be restricted.
It is easier to manage an allow list than a deny list. |
Test that that /etc/at.deny does not exist oval:ssg-test_file_at_deny_not_exist:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_at_deny_not_exist:obj:1 of type file_object
| Filepath |
|---|
| /etc/at.deny |
Ensure that /etc/cron.deny does not exist
| Rule ID | xccdf_org.ssgproject.content_rule_file_cron_deny_not_exist |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_cron_deny_not_exist:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-86849-7 References: 5.1.8 |
| Description | The file /etc/cron.deny should not exist.
Use /etc/cron.allow instead. |
| Rationale | Access to cron should be restricted.
It is easier to manage an allow list than a deny list. |
Test that that /etc/cron.deny does not exist oval:ssg-test_file_cron_deny_not_exist:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_cron_deny_not_exist:obj:1 of type file_object
| Filepath |
|---|
| /etc/cron.deny |
Verify Group Who Owns /etc/at.allow file
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_at_allow |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_groupowner_at_allow:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-87102-0 References: 5.1.9 |
| Description | If /etc/at.allow exists, it must be group-owned by root.
To properly set the group owner of /etc/at.allow, run the command:
$ sudo chgrp root /etc/at.allow |
| Rationale | If the owner of the at.allow file is not set to root, the possibility exists for an
unauthorized user to view or edit sensitive information. |
Testing group ownership of /etc/at.allow oval:ssg-test_file_groupowner_at_allow_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_at_allow_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| /etc/at.allow | oval:ssg-symlink_file_groupowner_at_allow_uid_0:ste:1 | oval:ssg-state_file_groupowner_at_allow_gid_0_0:ste:1 |
Verify Group Who Owns /etc/cron.allow file
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_cron_allow |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_groupowner_cron_allow:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-86829-9 References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-000366, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.1.8 |
| Description | If /etc/cron.allow exists, it must be group-owned by root.
To properly set the group owner of /etc/cron.allow, run the command:
$ sudo chgrp root /etc/cron.allow |
| Rationale | If the owner of the cron.allow file is not set to root, the possibility exists for an
unauthorized user to view or edit sensitive information. |
Testing group ownership of /etc/cron.allow oval:ssg-test_file_groupowner_cron_allow_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_cron_allow_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| /etc/cron.allow | oval:ssg-symlink_file_groupowner_cron_allow_uid_0:ste:1 | oval:ssg-state_file_groupowner_cron_allow_gid_0_0:ste:1 |
Verify User Who Owns /etc/cron.allow file
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_cron_allow |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_owner_cron_allow:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-86843-0 References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-000366, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.1.8 |
| Description | If /etc/cron.allow exists, it must be owned by root.
To properly set the owner of /etc/cron.allow, run the command:
$ sudo chown root /etc/cron.allow |
| Rationale | If the owner of the cron.allow file is not set to root, the possibility exists for an
unauthorized user to view or edit sensitive information. |
Testing user ownership of /etc/cron.allow oval:ssg-test_file_owner_cron_allow_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_cron_allow_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| /etc/cron.allow | oval:ssg-symlink_file_owner_cron_allow_uid_0:ste:1 | oval:ssg-state_file_owner_cron_allow_uid_0_0:ste:1 |
Enable cron Service
| Rule ID | xccdf_org.ssgproject.content_rule_service_crond_enabled |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-service_crond_enabled:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80875-8 References: 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-6(a), PR.IP-1, PR.PT-3, 5.1.1 |
| Description | The crond service is used to execute commands at
preconfigured times. It is required by almost all systems to perform necessary
maintenance tasks, such as notifying root of system activity.
The crond service can be enabled with the following command:
$ sudo systemctl enable crond.service |
| Rationale | Due to its usage for maintenance and security-supporting tasks,
enabling the cron daemon is essential. |
package cronie is installed oval:ssg-test_service_crond_package_cronie_installed:tst:1 true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| cronie | x86_64 | (none) | 4.el8 | 1.5.2 | 0:1.5.2-4.el8 | 199e2f91fd431d51 | cronie-0:1.5.2-4.el8.x86_64 |
Test that the crond service is running oval:ssg-test_service_running_crond:tst:1 true
Following items have been found on the system:
| Unit | Property | Value |
|---|---|---|
| crond.service | ActiveState | active |
systemd test oval:ssg-test_multi_user_wants_crond:tst:1 true
Following items have been found on the system:
| Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| multi-user.target | basic.target | var.mount | -.mount | sysinit.target | dev-hugepages.mount | systemd-ask-password-console.path | sys-kernel-debug.mount | rngd.service | iscsi-onboot.service | systemd-udevd.service | lvm2-lvmpolld.socket | systemd-modules-load.service | cryptsetup.target | selinux-autorelabel-mark.service | systemd-update-done.service | dracut-shutdown.service | systemd-journal-catalog-update.service | multipathd.service | systemd-hwdb-update.service | systemd-sysctl.service | dev-mqueue.mount | import-state.service | systemd-update-utmp.service | nis-domainname.service | swap.target | lvm2-monitor.service | systemd-journald.service | systemd-tmpfiles-setup.service | systemd-tmpfiles-setup-dev.service | proc-sys-fs-binfmt_misc.automount | loadmodules.service | systemd-binfmt.service | kmod-static-nodes.service | systemd-journal-flush.service | systemd-machine-id-commit.service | sys-fs-fuse-connections.mount | sys-kernel-config.mount | ldconfig.service | systemd-udev-trigger.service | systemd-firstboot.service | local-fs.target | boot.mount | usr.mount | home.mount | tmp.mount | boot-efi.mount | mnt.mount | systemd-remount-fs.service | systemd-random-seed.service | systemd-sysusers.service | timers.target | unbound-anchor.timer | dnf-makecache.timer | systemd-tmpfiles-clean.timer | mlocate-updatedb.timer | sockets.target | systemd-journald.socket | dbus.socket | iscsiuio.socket | sssd-kcm.socket | dm-event.socket | systemd-journald-dev-log.socket | multipathd.socket | iscsid.socket | systemd-udevd-control.socket | systemd-udevd-kernel.socket | systemd-initctl.socket | systemd-coredump.socket | paths.target | slices.target | -.slice | system.slice | smartd.service | NetworkManager.service | nftables.service | waagent.service | libstoragemgmt.service | vdo.service | tuned.service | rhsmcertd.service | dbus.service | systemd-update-utmp-runlevel.service | chronyd.service | firewalld.service | kdump.service | remote-fs.target | iscsi.service | sshd.service | crond.service | systemd-ask-password-wall.path | getty.target | getty@tty1.service | serial-getty@ttyS0.service | mdmonitor.service | systemd-user-sessions.service | systemd-logind.service | auditd.service | systemd-resolved.service | cloud-init.target | cloud-init-local.service | cloud-init.service | cloud-config.service | cloud-final.service | mcelog.service | sssd.service | rsyslog.service | atd.service | irqbalance.service |
systemd test oval:ssg-test_multi_user_wants_crond_socket:tst:1 false
Following items have been found on the system:
| Unit | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency | Dependency |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| multi-user.target | basic.target | var.mount | -.mount | sysinit.target | dev-hugepages.mount | systemd-ask-password-console.path | sys-kernel-debug.mount | rngd.service | iscsi-onboot.service | systemd-udevd.service | lvm2-lvmpolld.socket | systemd-modules-load.service | cryptsetup.target | selinux-autorelabel-mark.service | systemd-update-done.service | dracut-shutdown.service | systemd-journal-catalog-update.service | multipathd.service | systemd-hwdb-update.service | systemd-sysctl.service | dev-mqueue.mount | import-state.service | systemd-update-utmp.service | nis-domainname.service | swap.target | lvm2-monitor.service | systemd-journald.service | systemd-tmpfiles-setup.service | systemd-tmpfiles-setup-dev.service | proc-sys-fs-binfmt_misc.automount | loadmodules.service | systemd-binfmt.service | kmod-static-nodes.service | systemd-journal-flush.service | systemd-machine-id-commit.service | sys-fs-fuse-connections.mount | sys-kernel-config.mount | ldconfig.service | systemd-udev-trigger.service | systemd-firstboot.service | local-fs.target | boot.mount | usr.mount | home.mount | tmp.mount | boot-efi.mount | mnt.mount | systemd-remount-fs.service | systemd-random-seed.service | systemd-sysusers.service | timers.target | unbound-anchor.timer | dnf-makecache.timer | systemd-tmpfiles-clean.timer | mlocate-updatedb.timer | sockets.target | systemd-journald.socket | dbus.socket | iscsiuio.socket | sssd-kcm.socket | dm-event.socket | systemd-journald-dev-log.socket | multipathd.socket | iscsid.socket | systemd-udevd-control.socket | systemd-udevd-kernel.socket | systemd-initctl.socket | systemd-coredump.socket | paths.target | slices.target | -.slice | system.slice | smartd.service | NetworkManager.service | nftables.service | waagent.service | libstoragemgmt.service | vdo.service | tuned.service | rhsmcertd.service | dbus.service | systemd-update-utmp-runlevel.service | chronyd.service | firewalld.service | kdump.service | remote-fs.target | iscsi.service | sshd.service | crond.service | systemd-ask-password-wall.path | getty.target | getty@tty1.service | serial-getty@ttyS0.service | mdmonitor.service | systemd-user-sessions.service | systemd-logind.service | auditd.service | systemd-resolved.service | cloud-init.target | cloud-init-local.service | cloud-init.service | cloud-config.service | cloud-final.service | mcelog.service | sssd.service | rsyslog.service | atd.service | irqbalance.service |
Verify Group Who Owns cron.d
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_cron_d |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_groupowner_cron_d:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82268-4 References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.1.7 |
| Description |
To properly set the group owner of /etc/cron.d, run the command:
$ sudo chgrp root /etc/cron.d |
| Rationale | Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the
correct group to prevent unauthorized changes. |
Testing group ownership of /etc/cron.d/ oval:ssg-test_file_groupowner_cron_d_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_cron_d_0:obj:1 of type file_object
| Path | Filename | Filter | Filter |
|---|---|---|---|
| /etc/cron.d | no value | oval:ssg-symlink_file_groupowner_cron_d_uid_0:ste:1 | oval:ssg-state_file_groupowner_cron_d_gid_0_0:ste:1 |
Verify Group Who Owns cron.daily
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_cron_daily |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_groupowner_cron_daily:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82234-6 References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.1.4 |
| Description |
To properly set the group owner of /etc/cron.daily, run the command:
$ sudo chgrp root /etc/cron.daily |
| Rationale | Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the
correct group to prevent unauthorized changes. |
Testing group ownership of /etc/cron.daily/ oval:ssg-test_file_groupowner_cron_daily_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_cron_daily_0:obj:1 of type file_object
| Path | Filename | Filter | Filter |
|---|---|---|---|
| /etc/cron.daily | no value | oval:ssg-symlink_file_groupowner_cron_daily_uid_0:ste:1 | oval:ssg-state_file_groupowner_cron_daily_gid_0_0:ste:1 |
Verify Group Who Owns cron.hourly
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_cron_hourly |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_groupowner_cron_hourly:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82227-0 References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.1.3 |
| Description |
To properly set the group owner of /etc/cron.hourly, run the command:
$ sudo chgrp root /etc/cron.hourly |
| Rationale | Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the
correct group to prevent unauthorized changes. |
Testing group ownership of /etc/cron.hourly/ oval:ssg-test_file_groupowner_cron_hourly_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_cron_hourly_0:obj:1 of type file_object
| Path | Filename | Filter | Filter |
|---|---|---|---|
| /etc/cron.hourly | no value | oval:ssg-symlink_file_groupowner_cron_hourly_uid_0:ste:1 | oval:ssg-state_file_groupowner_cron_hourly_gid_0_0:ste:1 |
Verify Group Who Owns cron.monthly
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_cron_monthly |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_groupowner_cron_monthly:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82256-9 References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.1.6 |
| Description |
To properly set the group owner of /etc/cron.monthly, run the command:
$ sudo chgrp root /etc/cron.monthly |
| Rationale | Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the
correct group to prevent unauthorized changes. |
Testing group ownership of /etc/cron.monthly/ oval:ssg-test_file_groupowner_cron_monthly_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_cron_monthly_0:obj:1 of type file_object
| Path | Filename | Filter | Filter |
|---|---|---|---|
| /etc/cron.monthly | no value | oval:ssg-symlink_file_groupowner_cron_monthly_uid_0:ste:1 | oval:ssg-state_file_groupowner_cron_monthly_gid_0_0:ste:1 |
Verify Group Who Owns cron.weekly
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_cron_weekly |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_groupowner_cron_weekly:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82244-5 References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.1.5 |
| Description |
To properly set the group owner of /etc/cron.weekly, run the command:
$ sudo chgrp root /etc/cron.weekly |
| Rationale | Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the
correct group to prevent unauthorized changes. |
Testing group ownership of /etc/cron.weekly/ oval:ssg-test_file_groupowner_cron_weekly_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_cron_weekly_0:obj:1 of type file_object
| Path | Filename | Filter | Filter |
|---|---|---|---|
| /etc/cron.weekly | no value | oval:ssg-symlink_file_groupowner_cron_weekly_uid_0:ste:1 | oval:ssg-state_file_groupowner_cron_weekly_gid_0_0:ste:1 |
Verify Group Who Owns Crontab
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_crontab |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_groupowner_crontab:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82223-9 References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.1.2 |
| Description |
To properly set the group owner of /etc/crontab, run the command:
$ sudo chgrp root /etc/crontab |
| Rationale | Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the
correct group to prevent unauthorized changes. |
Testing group ownership of /etc/crontab oval:ssg-test_file_groupowner_crontab_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_crontab_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| /etc/crontab | oval:ssg-symlink_file_groupowner_crontab_uid_0:ste:1 | oval:ssg-state_file_groupowner_crontab_gid_0_0:ste:1 |
Verify Owner on cron.d
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_cron_d |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_owner_cron_d:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82272-6 References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.1.7 |
| Description |
To properly set the owner of /etc/cron.d, run the command:
$ sudo chown root /etc/cron.d |
| Rationale | Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the
correct user to prevent unauthorized changes. |
Testing user ownership of /etc/cron.d/ oval:ssg-test_file_owner_cron_d_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_cron_d_0:obj:1 of type file_object
| Path | Filename | Filter | Filter |
|---|---|---|---|
| /etc/cron.d | no value | oval:ssg-symlink_file_owner_cron_d_uid_0:ste:1 | oval:ssg-state_file_owner_cron_d_uid_0_0:ste:1 |
Verify Owner on cron.daily
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_cron_daily |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_owner_cron_daily:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82237-9 References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.1.4 |
| Description |
To properly set the owner of /etc/cron.daily, run the command:
$ sudo chown root /etc/cron.daily |
| Rationale | Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the
correct user to prevent unauthorized changes. |
Testing user ownership of /etc/cron.daily/ oval:ssg-test_file_owner_cron_daily_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_cron_daily_0:obj:1 of type file_object
| Path | Filename | Filter | Filter |
|---|---|---|---|
| /etc/cron.daily | no value | oval:ssg-symlink_file_owner_cron_daily_uid_0:ste:1 | oval:ssg-state_file_owner_cron_daily_uid_0_0:ste:1 |
Verify Owner on cron.hourly
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_cron_hourly |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_owner_cron_hourly:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82209-8 References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.1.3 |
| Description |
To properly set the owner of /etc/cron.hourly, run the command:
$ sudo chown root /etc/cron.hourly |
| Rationale | Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the
correct user to prevent unauthorized changes. |
Testing user ownership of /etc/cron.hourly/ oval:ssg-test_file_owner_cron_hourly_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_cron_hourly_0:obj:1 of type file_object
| Path | Filename | Filter | Filter |
|---|---|---|---|
| /etc/cron.hourly | no value | oval:ssg-symlink_file_owner_cron_hourly_uid_0:ste:1 | oval:ssg-state_file_owner_cron_hourly_uid_0_0:ste:1 |
Verify Owner on cron.monthly
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_cron_monthly |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_owner_cron_monthly:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82260-1 References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.1.6 |
| Description |
To properly set the owner of /etc/cron.monthly, run the command:
$ sudo chown root /etc/cron.monthly |
| Rationale | Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the
correct user to prevent unauthorized changes. |
Testing user ownership of /etc/cron.monthly/ oval:ssg-test_file_owner_cron_monthly_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_cron_monthly_0:obj:1 of type file_object
| Path | Filename | Filter | Filter |
|---|---|---|---|
| /etc/cron.monthly | no value | oval:ssg-symlink_file_owner_cron_monthly_uid_0:ste:1 | oval:ssg-state_file_owner_cron_monthly_uid_0_0:ste:1 |
Verify Owner on cron.weekly
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_cron_weekly |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_owner_cron_weekly:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82247-8 References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.1.5 |
| Description |
To properly set the owner of /etc/cron.weekly, run the command:
$ sudo chown root /etc/cron.weekly |
| Rationale | Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the
correct user to prevent unauthorized changes. |
Testing user ownership of /etc/cron.weekly/ oval:ssg-test_file_owner_cron_weekly_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_cron_weekly_0:obj:1 of type file_object
| Path | Filename | Filter | Filter |
|---|---|---|---|
| /etc/cron.weekly | no value | oval:ssg-symlink_file_owner_cron_weekly_uid_0:ste:1 | oval:ssg-state_file_owner_cron_weekly_uid_0_0:ste:1 |
Verify Owner on crontab
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_crontab |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_owner_crontab:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82224-7 References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.1.2 |
| Description |
To properly set the owner of /etc/crontab, run the command:
$ sudo chown root /etc/crontab |
| Rationale | Service configuration files enable or disable features of their respective services that if configured incorrectly
can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the
correct user to prevent unauthorized changes. |
Testing user ownership of /etc/crontab oval:ssg-test_file_owner_crontab_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_crontab_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| /etc/crontab | oval:ssg-symlink_file_owner_crontab_uid_0:ste:1 | oval:ssg-state_file_owner_crontab_uid_0_0:ste:1 |
Uninstall vsftpd Package
package vsftpd is removed oval:ssg-test_package_vsftpd_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_vsftpd_removed:obj:1 of type rpminfo_object
| Name |
|---|
| vsftpd |
Uninstall httpd Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_httpd_removed |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_httpd_removed:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | unknown |
| Identifiers and References | Identifiers: CCE-85970-2 References: 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, 2.2.10 |
| Description |
The httpd package can be removed with the following command:
$ sudo yum erase httpd |
| Rationale | If there is no need to make the web server software available,
removing it provides a safeguard against its activation. |
package httpd is removed oval:ssg-test_package_httpd_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_httpd_removed:obj:1 of type rpminfo_object
| Name |
|---|
| httpd |
Uninstall dovecot Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_dovecot_removed |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_dovecot_removed:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | unknown |
| Identifiers and References | Identifiers: CCE-85976-9 References: 2.2.11 |
| Description |
The dovecot package can be removed with the following command:
$ sudo yum erase dovecot |
| Rationale | If there is no need to make the Dovecot software available,
removing it provides a safeguard against its activation. |
package dovecot is removed oval:ssg-test_package_dovecot_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_dovecot_removed:obj:1 of type rpminfo_object
| Name |
|---|
| dovecot |
Ensure LDAP client is not installed
| Rule ID | xccdf_org.ssgproject.content_rule_package_openldap-clients_removed |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_openldap-clients_removed:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | low |
| Identifiers and References | Identifiers: CCE-82885-5 References: 2.3.5 |
| Description | The Lightweight Directory Access Protocol (LDAP) is a service that provides
a method for looking up information from a central database.
The openldap-clients package can be removed with the following command:
$ sudo yum erase openldap-clients |
| Rationale | If the system does not need to act as an LDAP client, it is recommended that the software is removed to reduce the potential attack surface. |
package openldap-clients is removed oval:ssg-test_package_openldap-clients_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_openldap-clients_removed:obj:1 of type rpminfo_object
| Name |
|---|
| openldap-clients |
Disable Postfix Network Listening
| Rule ID | xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82174-4 References: BP28(R48), 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, CCI-000382, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, 2.2.17 |
| Description | Edit the file /etc/postfix/main.cf to ensure that only the following
inet_interfaces line appears:
inet_interfaces = loopback-only |
| Rationale | This ensures postfix accepts mail messages
(such as cron job reports) from the local system only,
and not from the network, which protects it from network attack. |
Disable Network File System (nfs)
| Rule ID | xccdf_org.ssgproject.content_rule_service_nfs_disabled |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-service_nfs_disabled:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | unknown |
| Identifiers and References | Identifiers: CCE-82762-6 References: 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.03, DSS06.06, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), PR.AC-4, PR.AC-6, PR.PT-3, 2.2.18 |
| Description | The Network File System (NFS) service allows remote hosts to mount
and interact with shared filesystems on the local system. If the local system
is not designated as a NFS server then this service should be disabled.
The nfs-server service can be disabled with the following command:
$ sudo systemctl mask --now nfs-server.service |
| Rationale | Unnecessary services should be disabled to decrease the attack surface of the system. |
package nfs-utils is removed oval:ssg-test_service_nfs-server_package_nfs-utils_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_service_nfs-server_package_nfs-utils_removed:obj:1 of type rpminfo_object
| Name |
|---|
| nfs-utils |
Test that the nfs-server service is not running oval:ssg-test_service_not_running_nfs-server:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_service_not_running_nfs-server:obj:1 of type systemdunitproperty_object
| Unit | Property |
|---|---|
| ^nfs-server\.(service|socket)$ | ActiveState |
Test that the property LoadState from the service nfs-server is masked oval:ssg-test_service_loadstate_is_masked_nfs-server:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_service_loadstate_is_masked_nfs-server:obj:1 of type systemdunitproperty_object
| Unit | Property |
|---|---|
| ^nfs-server\.(service|socket)$ | LoadState |
Ensure that chronyd is running under chrony user account
| Rule ID | xccdf_org.ssgproject.content_rule_chronyd_run_as_chrony_user |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-chronyd_run_as_chrony_user:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82879-8 References: 2.1.2 |
| Description | chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to
synchronize system clocks across a variety of systems and use a source that is highly
accurate. More information on chrony can be found at
http://chrony.tuxfamily.org/.
Chrony can be configured to be a client and/or a server.
To ensure that chronyd is running under chrony user account,
remove any -u ... option from OPTIONS other than -u chrony,
as chrony is run under its own user by default.
This recommendation only applies if chrony is in use on the system. |
| Rationale | If chrony is in use on the system proper configuration is vital to ensuring time synchronization
is working properly. |
The default chrony user hasn't been overriden oval:ssg-test_no_user_override:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_user_override:obj:1 of type textfilecontent54_object
| Behaviors | Filepath | Pattern | Instance |
|---|---|---|---|
| no value | /etc/sysconfig/chronyd | ^\s*OPTIONS=.*[\s'"]-u(?!\s*chrony\b).* | 0 |
A remote time server for Chrony is configured
| Rule ID | xccdf_org.ssgproject.content_rule_chronyd_specify_remote_server |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-chronyd_specify_remote_server:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82873-1 References: BP28(R43), CCI-000160, CCI-001891, 0988, 1405, CM-6(a), AU-8(1)(a), Req-10.4.3, 2.1.2 |
| Description | Chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to
synchronize system clocks across a variety of systems and use a source that is highly
accurate. More information on chrony can be found at
http://chrony.tuxfamily.org/.
Chrony can be configured to be a client and/or a server.
Add or edit server or pool lines to /etc/chrony.conf as appropriate:
server <remote-server>Multiple servers may be configured. |
| Rationale | If chrony is in use on the system proper configuration is vital to ensuring time
synchronization is working properly. |
Ensure at least one NTP server is set oval:ssg-test_chronyd_remote_server:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/chrony.conf | pool 2.rhel.pool.ntp.org iburst |
Uninstall xinetd Package
package xinetd is removed oval:ssg-test_package_xinetd_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_xinetd_removed:obj:1 of type rpminfo_object
| Name |
|---|
| xinetd |
Remove NIS Client
| Rule ID | xccdf_org.ssgproject.content_rule_package_ypbind_removed |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_ypbind_removed:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | unknown |
| Identifiers and References | Identifiers: CCE-82181-9 References: BP28(R1), 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 2.3.1 |
| Description | The Network Information Service (NIS), formerly known as Yellow Pages,
is a client-server directory service protocol used to distribute system configuration
files. The NIS client ( ypbind) was used to bind a system to an NIS server
and receive the distributed configuration files. |
| Rationale | The NIS service is inherently an insecure system that has been vulnerable
to DOS attacks, buffer overflows and has poor authentication for querying
NIS maps. NIS generally has been replaced by such protocols as Lightweight
Directory Access Protocol (LDAP). It is recommended that the service be
removed. |
package ypbind is removed oval:ssg-test_package_ypbind_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_ypbind_removed:obj:1 of type rpminfo_object
| Name |
|---|
| ypbind |
Uninstall ypserv Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_ypserv_removed |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_ypserv_removed:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | high |
| Identifiers and References | Identifiers: CCE-82432-6 References: BP28(R1), 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-000381, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), IA-5(1)(c), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000095-GPOS-00049, 2.2.15 |
| Description | The ypserv package can be removed with the following command:
$ sudo yum erase ypserv |
| Rationale | The NIS service provides an unencrypted authentication service which does
not provide for the confidentiality and integrity of user passwords or the
remote session.
Removing the ypserv package decreases the risk of the accidental
(or intentional) activation of NIS or NIS+ services. |
package ypserv is removed oval:ssg-test_package_ypserv_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_ypserv_removed:obj:1 of type rpminfo_object
| Name |
|---|
| ypserv |
Uninstall rsh Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_rsh_removed |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_rsh_removed:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | unknown |
| Identifiers and References | Identifiers: CCE-82183-5 References: BP28(R1), 3.1.13, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), A.8.2.3, A.13.1.1, A.13.2.1, A.13.2.3, A.14.1.2, A.14.1.3, 2.3.2 |
| Description |
The rsh package contains the client commands
for the rsh services |
| Rationale | These legacy clients contain numerous security exposures and have
been replaced with the more secure SSH package. Even if the server is removed,
it is best to ensure the clients are also removed to prevent users from
inadvertently attempting to use these commands and therefore exposing
their credentials. Note that removing the rsh package removes
the clients for rsh,rcp, and rlogin. |
package rsh is removed oval:ssg-test_package_rsh_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_rsh_removed:obj:1 of type rpminfo_object
| Name |
|---|
| rsh |
Remove Rsh Trust Files
| Rule ID | xccdf_org.ssgproject.content_rule_no_rsh_trust_files |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-no_rsh_trust_files:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | high |
| Identifiers and References | Identifiers: CCE-80842-8 References: 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-001436, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, 6.2.16 |
| Description | The files /etc/hosts.equiv and ~/.rhosts (in
each user's home directory) list remote hosts and users that are trusted by the
local system when using the rshd daemon.
To remove these files, run the following command to delete them from any
location:
$ sudo rm /etc/hosts.equiv $ rm ~/.rhosts |
| Rationale | This action is only meaningful if .rhosts support is permitted
through PAM. Trust files are convenient, but when used in conjunction with
the R-services, they can allow unauthenticated access to a system. |
look for .rhosts in /root oval:ssg-test_no_rsh_trust_files_root:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_no_rsh_trust_files_root:obj:1 of type file_object
| Path | Filename |
|---|---|
| /root | ^\.rhosts$ |
look for .rhosts in /home oval:ssg-test_no_rsh_trust_files_home:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_no_rsh_trust_files_home:obj:1 of type file_object
| Behaviors | Path | Filename |
|---|---|---|
| no value | /home | ^\.rhosts$ |
look for /etc/hosts.equiv oval:ssg-test_no_rsh_trust_files_etc:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_no_rsh_trust_files_etc:obj:1 of type file_object
| Path | Filename |
|---|---|
| /etc | ^hosts\.equiv$ |
Uninstall talk Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_talk_removed |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_talk_removed:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80848-5 References: BP28(R1), 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 2.3.3 |
| Description | The talk package contains the client program for the
Internet talk protocol, which allows the user to chat with other users on
different systems. Talk is a communication program which copies lines from one
terminal to the terminal of another user.
The talk package can be removed with the following command:
$ sudo yum erase talk |
| Rationale | The talk software presents a security risk as it uses unencrypted protocols
for communications. Removing the talk package decreases the
risk of the accidental (or intentional) activation of talk client program. |
package talk is removed oval:ssg-test_package_talk_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_talk_removed:obj:1 of type rpminfo_object
| Name |
|---|
| talk |
Uninstall telnet-server Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_telnet-server_removed |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_telnet-server_removed:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | high |
| Identifiers and References | Identifiers: CCE-82182-7 References: BP28(R1), 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-000381, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000095-GPOS-00049, RHEL-08-040000, 2.2.16, SV-230487r627750_rule |
| Description | The telnet-server package can be removed with the following command:
$ sudo yum erase telnet-server |
| Rationale | It is detrimental for operating systems to provide, or install by default,
functionality exceeding requirements or mission objectives. These
unnecessary capabilities are often overlooked and therefore may remain
unsecure. They increase the risk to the platform by providing additional
attack vectors.
The telnet service provides an unencrypted remote access service which does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to login using this service, the privileged user password could be compromised. Removing the telnet-server package decreases the risk of the
telnet service's accidental (or intentional) activation. |
package telnet-server is removed oval:ssg-test_package_telnet-server_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_telnet-server_removed:obj:1 of type rpminfo_object
| Name |
|---|
| telnet-server |
Remove telnet Clients
| Rule ID | xccdf_org.ssgproject.content_rule_package_telnet_removed |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_telnet_removed:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | low |
| Identifiers and References | Identifiers: CCE-80849-3 References: BP28(R1), 3.1.13, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), A.8.2.3, A.13.1.1, A.13.2.1, A.13.2.3, A.14.1.2, A.14.1.3, 2.3.4 |
| Description | The telnet client allows users to start connections to other systems via
the telnet protocol. |
| Rationale | The telnet protocol is insecure and unencrypted. The use
of an unencrypted transmission medium could allow an unauthorized user
to steal credentials. The ssh package provides an
encrypted session and stronger security and is included in Red Hat Enterprise Linux 8. |
package telnet is removed oval:ssg-test_package_telnet_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_telnet_removed:obj:1 of type rpminfo_object
| Name |
|---|
| telnet |
Uninstall tftp-server Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_tftp-server_removed |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_tftp-server_removed:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | high |
| Identifiers and References | Identifiers: CCE-82436-7 References: BP28(R1), 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-000318, CCI-000366, CCI-000368, CCI-001812, CCI-001813, CCI-001814, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040190, 2.2.9, SV-230533r627750_rule |
| Description | The tftp-server package can be removed with the following command: $ sudo yum erase tftp-server |
| Rationale | Removing the tftp-server package decreases the risk of the accidental
(or intentional) activation of tftp services.
If TFTP is required for operational support (such as transmission of router configurations), its use must be documented with the Information Systems Securty Manager (ISSM), restricted to only authorized personnel, and have access control rules established. |
package tftp-server is removed oval:ssg-test_package_tftp-server_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_tftp-server_removed:obj:1 of type rpminfo_object
| Name |
|---|
| tftp-server |
Remove tftp Daemon
| Rule ID | xccdf_org.ssgproject.content_rule_package_tftp_removed |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_tftp_removed:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | low |
| Identifiers and References | Identifiers: CCE-83590-0 |
| Description | Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol,
typically used to automatically transfer configuration or boot files between systems.
TFTP does not support authentication and can be easily hacked. The package
tftp is a client program that allows for connections to a tftp server. |
| Rationale | It is recommended that TFTP be removed, unless there is a specific need
for TFTP (such as a boot server). In that case, use extreme caution when configuring
the services. |
package tftp is removed oval:ssg-test_package_tftp_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_tftp_removed:obj:1 of type rpminfo_object
| Name |
|---|
| tftp |
Uninstall squid Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_squid_removed |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_squid_removed:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | unknown |
| Identifiers and References | Identifiers: CCE-82189-2 References: 2.2.13 |
| Description | The squid package can be removed with the following command: $ sudo yum erase squid |
| Rationale | If there is no need to make the proxy server software available,
removing it provides a safeguard against its activation. |
package squid is removed oval:ssg-test_package_squid_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_squid_removed:obj:1 of type rpminfo_object
| Name |
|---|
| squid |
Uninstall Samba Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_samba_removed |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_samba_removed:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | unknown |
| Identifiers and References | Identifiers: CCE-85978-5 References: 2.2.12 |
| Description | The samba package can be removed with the following command: $ sudo yum erase samba |
| Rationale | If there is no need to make the Samba software available,
removing it provides a safeguard against its activation. |
package samba is removed oval:ssg-test_package_samba_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_samba_removed:obj:1 of type rpminfo_object
| Name |
|---|
| samba |
Uninstall net-snmp Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_net-snmp_removed |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_net-snmp_removed:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | unknown |
| Identifiers and References | Identifiers: CCE-85980-1 References: 2.2.14 |
| Description |
The net-snmp package provides the snmpd service.
The net-snmp package can be removed with the following command:
$ sudo yum erase net-snmp |
| Rationale | If there is no need to run SNMP server software,
removing the package provides a safeguard against its
activation. |
package net-snmp is removed oval:ssg-test_package_net-snmp_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_net-snmp_removed:obj:1 of type rpminfo_object
| Name |
|---|
| net-snmp |
Set SSH Client Alive Count Max
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_set_keepalive |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_set_keepalive:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80907-9 References: BP28(R29), 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, 5.5.6, APO13.01, BAI03.01, BAI03.02, BAI03.03, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.1.11, CCI-000879, CCI-001133, CCI-002361, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, A.12.4.1, A.12.4.3, A.14.1.1, A.14.2.1, A.14.2.5, A.18.1.4, A.6.1.2, A.6.1.5, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.3, CIP-007-3 R5.1, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, AC-2(5), AC-12, AC-17(a), SC-10, CM-6(a), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.IP-2, Req-8.1.8, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109, SRG-OS-000480-VMM-002000, 5.2.20 |
| Description | The SSH server sends at most ClientAliveCountMax messages
during a SSH session and waits for a response from the SSH client.
The option ClientAliveInterval configures timeout after
each ClientAliveCountMax message. If the SSH server does not
receive a response from the client, then the connection is considered idle
and terminated.
For SSH earlier than v8.2, a ClientAliveCountMax value of 0
causes an idle timeout precisely when the ClientAliveInterval is set.
Starting with v8.2, a value of 0 disables the timeout functionality
completely. If the option is set to a number greater than 0, then
the idle session will be disconnected after
ClientAliveInterval * ClientAliveCountMax seconds. |
| Rationale | This ensures a user login will be terminated as soon as the ClientAliveInterval
is reached. |
Verify if Profile set Value sshd_required as not required oval:ssg-test_sshd_not_required:tst:1 false
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed oval:ssg-test_package_openssh-server_removed:tst:1 false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| openssh-server | x86_64 | (none) | 6.el8_4.2 | 8.0p1 | 0:8.0p1-6.el8_4.2 | 199e2f91fd431d51 | openssh-server-0:8.0p1-6.el8_4.2.x86_64 |
Verify if Profile set Value sshd_required as required oval:ssg-test_sshd_required:tst:1 false
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed oval:ssg-test_package_openssh-server_installed:tst:1 true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| openssh-server | x86_64 | (none) | 6.el8_4.2 | 8.0p1 | 0:8.0p1-6.el8_4.2 | 199e2f91fd431d51 | openssh-server-0:8.0p1-6.el8_4.2.x86_64 |
Tests the value of the ClientAliveCountMax setting in the /etc/ssh/sshd_config file oval:ssg-test_sshd_clientalivecountmax:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/ssh/sshd_config | ClientAliveCountMax 0 |
Set SSH Idle Timeout Interval
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_set_idle_timeout:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80906-1 References: BP28(R29), 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, 5.5.6, APO13.01, BAI03.01, BAI03.02, BAI03.03, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.1.11, CCI-000879, CCI-001133, CCI-002361, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, A.12.4.1, A.12.4.3, A.14.1.1, A.14.2.1, A.14.2.5, A.18.1.4, A.6.1.2, A.6.1.5, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.3, CIP-007-3 R5.1, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, CM-6(a), AC-17(a), AC-2(5), AC-12, AC-17(a), SC-10, CM-6(a), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.IP-2, Req-8.1.8, SRG-OS-000126-GPOS-00066, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109, SRG-OS-000395-GPOS-00175, SRG-OS-000480-VMM-002000, RHEL-08-010201, 5.2.20, SV-244525r743824_rule |
| Description | SSH allows administrators to set an idle timeout interval. After this interval
has passed, the idle user will be automatically logged out.
To set an idle timeout interval, edit the following line in /etc/ssh/sshd_config as
follows:
ClientAliveInterval 900 The timeout interval is given in seconds. For example, have a timeout of 10 minutes, set interval to 600. If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made in /etc/ssh/sshd_config. Keep in mind that
some processes may stop SSH from correctly detecting that the user is idle. |
| Rationale | Terminating an idle ssh session within a short time period reduces the window of
opportunity for unauthorized personnel to take control of a management session
enabled on the console or console port that has been let unattended. |
| Warnings | warning
SSH disconnecting idle clients will not have desired effect without also
configuring ClientAliveCountMax in the SSH service configuration. warning
Following conditions may prevent the SSH session to time out:
|
Verify if Profile set Value sshd_required as not required oval:ssg-test_sshd_not_required:tst:1 false
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed oval:ssg-test_package_openssh-server_removed:tst:1 false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| openssh-server | x86_64 | (none) | 6.el8_4.2 | 8.0p1 | 0:8.0p1-6.el8_4.2 | 199e2f91fd431d51 | openssh-server-0:8.0p1-6.el8_4.2.x86_64 |
Verify if Profile set Value sshd_required as required oval:ssg-test_sshd_required:tst:1 false
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed oval:ssg-test_package_openssh-server_installed:tst:1 true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| openssh-server | x86_64 | (none) | 6.el8_4.2 | 8.0p1 | 0:8.0p1-6.el8_4.2 | 199e2f91fd431d51 | openssh-server-0:8.0p1-6.el8_4.2.x86_64 |
timeout is configured oval:ssg-test_sshd_idle_timeout:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/ssh/sshd_config | ClientAliveInterval 180 #ClientAliveCountMax 3 |
Disable Host-Based Authentication
| Rule ID | xccdf_org.ssgproject.content_rule_disable_host_auth |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-disable_host_auth:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80786-7 References: 11, 12, 14, 15, 16, 18, 3, 5, 9, 5.5.6, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.03, DSS06.06, 3.1.12, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, AC-3, AC-17(a), CM-7(a), CM-7(b), CM-6(a), PR.AC-4, PR.AC-6, PR.IP-1, PR.PT-3, FIA_UAU.1, SRG-OS-000480-GPOS-00229, SRG-OS-000480-VMM-002000, 5.2.8 |
| Description | SSH's cryptographic host-based authentication is
more secure than .rhosts authentication. However, it is
not recommended that hosts unilaterally trust one another, even
within an organization.
The default SSH configuration disables host-based authentication. The appropriate configuration is used if no value is set for HostbasedAuthentication.
To explicitly disable host-based authentication, add or correct the following line in /etc/ssh/sshd_config:
HostbasedAuthentication no |
| Rationale | SSH trust relationships mean a compromise on one host
can allow an attacker to move trivially to other hosts. |
Verify if Profile set Value sshd_required as not required oval:ssg-test_sshd_not_required:tst:1 false
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed oval:ssg-test_package_openssh-server_removed:tst:1 false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| openssh-server | x86_64 | (none) | 6.el8_4.2 | 8.0p1 | 0:8.0p1-6.el8_4.2 | 199e2f91fd431d51 | openssh-server-0:8.0p1-6.el8_4.2.x86_64 |
Verify if Profile set Value sshd_required as required oval:ssg-test_sshd_required:tst:1 false
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed oval:ssg-test_package_openssh-server_installed:tst:1 true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| openssh-server | x86_64 | (none) | 6.el8_4.2 | 8.0p1 | 0:8.0p1-6.el8_4.2 | 199e2f91fd431d51 | openssh-server-0:8.0p1-6.el8_4.2.x86_64 |
tests the value of HostbasedAuthentication setting in the /etc/ssh/sshd_config file oval:ssg-test_disable_host_auth:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/ssh/sshd_config | HostbasedAuthentication no |
Disable SSH Access via Empty Passwords
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_disable_empty_passwords:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | high |
| Identifiers and References | Identifiers: CCE-80896-4 References: NT007(R17), 11, 12, 13, 14, 15, 16, 18, 3, 5, 9, 5.5.6, APO01.06, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, 3.1.1, 3.1.5, CCI-000366, CCI-000766, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-17(a), CM-7(a), CM-7(b), CM-6(a), PR.AC-4, PR.AC-6, PR.DS-5, PR.IP-1, PR.PT-3, FIA_UAU.1, SRG-OS-000106-GPOS-00053, SRG-OS-000480-GPOS-00229, SRG-OS-000480-GPOS-00227, SRG-OS-000480-VMM-002000, RHEL-08-020330, 5.2.9, SV-230380r743993_rule |
| Description | Disallow SSH login with empty passwords.
The default SSH configuration disables logins with empty passwords. The appropriate
configuration is used if no value is set for PermitEmptyPasswords.
To explicitly disallow SSH login from accounts with empty passwords, add or correct the following line in /etc/ssh/sshd_config:
PermitEmptyPasswords noAny accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords. |
| Rationale | Configuring this setting for the SSH daemon provides additional assurance
that remote login via SSH will require a password, even in the event of
misconfiguration elsewhere. |
Verify if Profile set Value sshd_required as not required oval:ssg-test_sshd_not_required:tst:1 false
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed oval:ssg-test_package_openssh-server_removed:tst:1 false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| openssh-server | x86_64 | (none) | 6.el8_4.2 | 8.0p1 | 0:8.0p1-6.el8_4.2 | 199e2f91fd431d51 | openssh-server-0:8.0p1-6.el8_4.2.x86_64 |
Verify if Profile set Value sshd_required as required oval:ssg-test_sshd_required:tst:1 false
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed oval:ssg-test_package_openssh-server_installed:tst:1 true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| openssh-server | x86_64 | (none) | 6.el8_4.2 | 8.0p1 | 0:8.0p1-6.el8_4.2 | 199e2f91fd431d51 | openssh-server-0:8.0p1-6.el8_4.2.x86_64 |
tests the value of PermitEmptyPasswords setting in the /etc/ssh/sshd_config file oval:ssg-test_sshd_disable_empty_passwords:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/ssh/sshd_config | PermitEmptyPasswords no |
Disable SSH Support for .rhosts Files
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_rhosts |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_disable_rhosts:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80899-8 References: 11, 12, 14, 15, 16, 18, 3, 5, 9, 5.5.6, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.03, DSS06.06, 3.1.12, CCI-000366, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-17(a), CM-7(a), CM-7(b), CM-6(a), PR.AC-4, PR.AC-6, PR.IP-1, PR.PT-3, FIA_UAU.1, SRG-OS-000480-GPOS-00227, SRG-OS-000107-VMM-000530, 5.2.11 |
| Description | SSH can emulate the behavior of the obsolete rsh
command in allowing users to enable insecure access to their
accounts via .rhosts files.
The default SSH configuration disables support for .rhosts. The appropriate
configuration is used if no value is set for IgnoreRhosts.
To explicitly disable support for .rhosts files, add or correct the following line in /etc/ssh/sshd_config:
IgnoreRhosts yes |
| Rationale | SSH trust relationships mean a compromise on one host
can allow an attacker to move trivially to other hosts. |
Verify if Profile set Value sshd_required as not required oval:ssg-test_sshd_not_required:tst:1 false
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed oval:ssg-test_package_openssh-server_removed:tst:1 false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| openssh-server | x86_64 | (none) | 6.el8_4.2 | 8.0p1 | 0:8.0p1-6.el8_4.2 | 199e2f91fd431d51 | openssh-server-0:8.0p1-6.el8_4.2.x86_64 |
Verify if Profile set Value sshd_required as required oval:ssg-test_sshd_required:tst:1 false
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed oval:ssg-test_package_openssh-server_installed:tst:1 true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| openssh-server | x86_64 | (none) | 6.el8_4.2 | 8.0p1 | 0:8.0p1-6.el8_4.2 | 199e2f91fd431d51 | openssh-server-0:8.0p1-6.el8_4.2.x86_64 |
tests the value of IgnoreRhosts setting in the /etc/ssh/sshd_config file oval:ssg-test_sshd_disable_rhosts:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/ssh/sshd_config | IgnoreRhosts yes |
Disable SSH Root Login
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_root_login |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_disable_root_login:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80901-2 References: BP28(R19), NT007(R21), 1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 5.5.6, APO01.06, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.06, DSS06.10, 3.1.1, 3.1.5, CCI-000366, CCI-000770, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, AC-6(2), AC-17(a), IA-2, IA-2(5), CM-7(a), CM-7(b), CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5, PR.PT-3, FAU_GEN.1, SRG-OS-000109-GPOS-00056, SRG-OS-000480-GPOS-00227, SRG-OS-000480-VMM-002000, RHEL-08-010550, 5.2.7, SV-230296r627750_rule |
| Description | The root user should never be allowed to login to a
system directly over a network.
To disable root login via SSH, add or correct the following line in
/etc/ssh/sshd_config:
PermitRootLogin no |
| Rationale | Even though the communications channel may be encrypted, an additional layer of
security is gained by extending the policy of not logging directly on as root.
In addition, logging in with a user-specific account provides individual
accountability of actions performed on the system and also helps to minimize
direct attack attempts on root's password. |
| Warnings | warning
This rule is disabled on Red Hat Virtualization Hosts and Managers, it will report not applicable.
RHV hosts require root access to be managed by RHV Manager. |
Verify if Profile set Value sshd_required as not required oval:ssg-test_sshd_not_required:tst:1 false
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed oval:ssg-test_package_openssh-server_removed:tst:1 false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| openssh-server | x86_64 | (none) | 6.el8_4.2 | 8.0p1 | 0:8.0p1-6.el8_4.2 | 199e2f91fd431d51 | openssh-server-0:8.0p1-6.el8_4.2.x86_64 |
Verify if Profile set Value sshd_required as required oval:ssg-test_sshd_required:tst:1 false
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed oval:ssg-test_package_openssh-server_installed:tst:1 true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| openssh-server | x86_64 | (none) | 6.el8_4.2 | 8.0p1 | 0:8.0p1-6.el8_4.2 | 199e2f91fd431d51 | openssh-server-0:8.0p1-6.el8_4.2.x86_64 |
tests the value of PermitRootLogin setting in the /etc/ssh/sshd_config file oval:ssg-test_sshd_disable_root_login:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/ssh/sshd_config | PermitRootLogin no |
Disable SSH TCP Forwarding
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_tcp_forwarding |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_disable_tcp_forwarding:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83301-2 References: 5.2.13 |
| Description | The AllowTcpForwarding parameter specifies whether TCP forwarding is permitted.
To disable TCP forwarding, add or correct the following line in
/etc/ssh/sshd_config:
AllowTcpForwarding no |
| Rationale | Leaving port forwarding enabled can expose the organization to security risks and back-doors. |
Verify if Profile set Value sshd_required as not required oval:ssg-test_sshd_not_required:tst:1 false
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed oval:ssg-test_package_openssh-server_removed:tst:1 false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| openssh-server | x86_64 | (none) | 6.el8_4.2 | 8.0p1 | 0:8.0p1-6.el8_4.2 | 199e2f91fd431d51 | openssh-server-0:8.0p1-6.el8_4.2.x86_64 |
Verify if Profile set Value sshd_required as required oval:ssg-test_sshd_required:tst:1 false
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed oval:ssg-test_package_openssh-server_installed:tst:1 true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| openssh-server | x86_64 | (none) | 6.el8_4.2 | 8.0p1 | 0:8.0p1-6.el8_4.2 | 199e2f91fd431d51 | openssh-server-0:8.0p1-6.el8_4.2.x86_64 |
tests the value of AllowTcpForwarding setting in the /etc/ssh/sshd_config file oval:ssg-test_sshd_disable_tcp_forwarding:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/ssh/sshd_config | AllowTcpForwarding no |
Disable X11 Forwarding
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_disable_x11_forwarding:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83360-8 References: CCI-000366, CM-6(b), SRG-OS-000480-GPOS-00227, RHEL-08-040340, 5.2.12, SV-230555r627750_rule |
| Description | The X11Forwarding parameter provides the ability to tunnel X11 traffic
through the connection to enable remote graphic connections.
SSH has the capability to encrypt remote X11 connections when SSH's
X11Forwarding option is enabled.
The default SSH configuration disables X11Forwarding. The appropriate configuration is used if no value is set for X11Forwarding.
To explicitly disable X11 Forwarding, add or correct the following line in /etc/ssh/sshd_config:
X11Forwarding no |
| Rationale | Disable X11 forwarding unless there is an operational requirement to use X11
applications directly. There is a small risk that the remote X11 servers of
users who are logged in via SSH with X11 forwarding could be compromised by
other users on the X11 server. Note that even if X11 forwarding is disabled,
users can always install their own forwarders. |
Verify if Profile set Value sshd_required as not required oval:ssg-test_sshd_not_required:tst:1 false
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed oval:ssg-test_package_openssh-server_removed:tst:1 false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| openssh-server | x86_64 | (none) | 6.el8_4.2 | 8.0p1 | 0:8.0p1-6.el8_4.2 | 199e2f91fd431d51 | openssh-server-0:8.0p1-6.el8_4.2.x86_64 |
Verify if Profile set Value sshd_required as required oval:ssg-test_sshd_required:tst:1 false
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed oval:ssg-test_package_openssh-server_installed:tst:1 true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| openssh-server | x86_64 | (none) | 6.el8_4.2 | 8.0p1 | 0:8.0p1-6.el8_4.2 | 199e2f91fd431d51 | openssh-server-0:8.0p1-6.el8_4.2.x86_64 |
tests the value of X11Forwarding setting in the /etc/ssh/sshd_config file oval:ssg-test_sshd_disable_x11_forwarding:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/ssh/sshd_config | X11Forwarding no |
Do Not Allow SSH Environment Options
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_do_not_permit_user_env:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-80903-8 References: 11, 3, 9, 5.5.6, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.1.12, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, AC-17(a), CM-7(a), CM-7(b), CM-6(a), PR.IP-1, SRG-OS-000480-GPOS-00229, SRG-OS-000480-VMM-002000, RHEL-08-010830, 5.2.10, SV-230330r646870_rule |
| Description | Ensure that users are not able to override environment variables of the SSH daemon.
The default SSH configuration disables environment processing. The appropriate configuration is used if no value is set for PermitUserEnvironment.
To explicitly disable Environment options, add or correct the following /etc/ssh/sshd_config:
PermitUserEnvironment no |
| Rationale | SSH environment options potentially allow users to bypass
access restriction in some configurations. |
Verify if Profile set Value sshd_required as not required oval:ssg-test_sshd_not_required:tst:1 false
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed oval:ssg-test_package_openssh-server_removed:tst:1 false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| openssh-server | x86_64 | (none) | 6.el8_4.2 | 8.0p1 | 0:8.0p1-6.el8_4.2 | 199e2f91fd431d51 | openssh-server-0:8.0p1-6.el8_4.2.x86_64 |
Verify if Profile set Value sshd_required as required oval:ssg-test_sshd_required:tst:1 false
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed oval:ssg-test_package_openssh-server_installed:tst:1 true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| openssh-server | x86_64 | (none) | 6.el8_4.2 | 8.0p1 | 0:8.0p1-6.el8_4.2 | 199e2f91fd431d51 | openssh-server-0:8.0p1-6.el8_4.2.x86_64 |
tests the value of PermitUserEnvironment setting in the /etc/ssh/sshd_config file oval:ssg-test_sshd_do_not_permit_user_env:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/ssh/sshd_config | PermitUserEnvironment no |
Enable PAM
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_enable_pam |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_enable_pam:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-86721-8 References: CCI-000877, SRG-OS-000125-GPOS-00065, 5.2.6 |
| Description | UsePAM Enables the Pluggable Authentication Module interface. If set to “yes” this will
enable PAM authentication using ChallengeResponseAuthentication and
PasswordAuthentication in addition to PAM account and session module processing for all
authentication types.
To enable PAM authentication, add or correct the following line in
/etc/ssh/sshd_config:
UsePAM yes |
| Rationale | When UsePAM is set to yes, PAM runs through account and session types properly. This is
important if you want to restrict access to services based off of IP, time or other factors of
the account. Additionally, you can make sure users inherit certain environment variables
on login or disallow access to the server. |
Verify if Profile set Value sshd_required as not required oval:ssg-test_sshd_not_required:tst:1 false
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed oval:ssg-test_package_openssh-server_removed:tst:1 false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| openssh-server | x86_64 | (none) | 6.el8_4.2 | 8.0p1 | 0:8.0p1-6.el8_4.2 | 199e2f91fd431d51 | openssh-server-0:8.0p1-6.el8_4.2.x86_64 |
Verify if Profile set Value sshd_required as required oval:ssg-test_sshd_required:tst:1 false
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed oval:ssg-test_package_openssh-server_installed:tst:1 true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| openssh-server | x86_64 | (none) | 6.el8_4.2 | 8.0p1 | 0:8.0p1-6.el8_4.2 | 199e2f91fd431d51 | openssh-server-0:8.0p1-6.el8_4.2.x86_64 |
tests the value of UsePAM setting in the /etc/ssh/sshd_config file oval:ssg-test_sshd_enable_pam:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/ssh/sshd_config | UsePAM yes |
Ensure SSH LoginGraceTime is configured
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_set_login_grace_time |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_set_login_grace_time:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-86551-9 References: 5.2.19 |
| Description | The LoginGraceTime parameter to the SSH server specifies the time allowed for successful authentication to
the SSH server. The longer the Grace period is the more open unauthenticated connections
can exist. Like other session controls in this session the Grace Period should be limited to
appropriate limits to ensure the service is available for needed access. |
| Rationale | Setting the LoginGraceTime parameter to a low number will minimize the risk of successful
brute force attacks to the SSH server. It will also limit the number of concurrent
unauthenticated connections. |
Verify if Profile set Value sshd_required as not required oval:ssg-test_sshd_not_required:tst:1 false
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed oval:ssg-test_package_openssh-server_removed:tst:1 false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| openssh-server | x86_64 | (none) | 6.el8_4.2 | 8.0p1 | 0:8.0p1-6.el8_4.2 | 199e2f91fd431d51 | openssh-server-0:8.0p1-6.el8_4.2.x86_64 |
Verify if Profile set Value sshd_required as required oval:ssg-test_sshd_required:tst:1 false
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed oval:ssg-test_package_openssh-server_installed:tst:1 true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| openssh-server | x86_64 | (none) | 6.el8_4.2 | 8.0p1 | 0:8.0p1-6.el8_4.2 | 199e2f91fd431d51 | openssh-server-0:8.0p1-6.el8_4.2.x86_64 |
LoginGraceTime is configured oval:ssg-test_sshd_login_grace_time:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/ssh/sshd_config | LoginGraceTime 60 |
Set SSH Daemon LogLevel to VERBOSE
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_set_loglevel_verbose |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_set_loglevel_verbose:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82420-1 References: CCI-000067, CIP-007-3 R7.1, AC-17(a), AC-17(1), CM-6(a), SRG-OS-000032-GPOS-00013, 5.2.5 |
| Description | The VERBOSE parameter configures the SSH daemon to record login and logout activity.
To specify the log level in
SSH, add or correct the following line in
/etc/ssh/sshd_config:
LogLevel VERBOSE |
| Rationale | SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically
not recommended other than strictly for debugging SSH communications since it provides
so much data that it is difficult to identify important security information. INFO or
VERBOSE level is the basic level that only records login activity of SSH users. In many
situations, such as Incident Response, it is important to determine when a particular user was active
on a system. The logout record can eliminate those users who disconnected, which helps narrow the
field. |
Verify if Profile set Value sshd_required as not required oval:ssg-test_sshd_not_required:tst:1 false
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed oval:ssg-test_package_openssh-server_removed:tst:1 false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| openssh-server | x86_64 | (none) | 6.el8_4.2 | 8.0p1 | 0:8.0p1-6.el8_4.2 | 199e2f91fd431d51 | openssh-server-0:8.0p1-6.el8_4.2.x86_64 |
Verify if Profile set Value sshd_required as required oval:ssg-test_sshd_required:tst:1 false
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed oval:ssg-test_package_openssh-server_installed:tst:1 true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| openssh-server | x86_64 | (none) | 6.el8_4.2 | 8.0p1 | 0:8.0p1-6.el8_4.2 | 199e2f91fd431d51 | openssh-server-0:8.0p1-6.el8_4.2.x86_64 |
tests the value of LogLevel setting in the /etc/ssh/sshd_config file oval:ssg-test_sshd_set_loglevel_verbose:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/ssh/sshd_config | LogLevel VERBOSE |
Set SSH authentication attempt limit
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_set_max_auth_tries:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83500-9 References: 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, 5.2.16 |
| Description | The MaxAuthTries parameter specifies the maximum number of authentication attempts
permitted per connection. Once the number of failures reaches half this value, additional failures are logged.
to set MaxAUthTries edit /etc/ssh/sshd_config as follows:
MaxAuthTries 4 |
| Rationale | Setting the MaxAuthTries parameter to a low number will minimize the risk of successful
brute force attacks to the SSH server. |
Verify if Profile set Value sshd_required as not required oval:ssg-test_sshd_not_required:tst:1 false
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed oval:ssg-test_package_openssh-server_removed:tst:1 false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| openssh-server | x86_64 | (none) | 6.el8_4.2 | 8.0p1 | 0:8.0p1-6.el8_4.2 | 199e2f91fd431d51 | openssh-server-0:8.0p1-6.el8_4.2.x86_64 |
Verify if Profile set Value sshd_required as required oval:ssg-test_sshd_required:tst:1 false
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed oval:ssg-test_package_openssh-server_installed:tst:1 true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| openssh-server | x86_64 | (none) | 6.el8_4.2 | 8.0p1 | 0:8.0p1-6.el8_4.2 | 199e2f91fd431d51 | openssh-server-0:8.0p1-6.el8_4.2.x86_64 |
maxauthtries is configured oval:ssg-test_sshd_max_auth_tries:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/ssh/sshd_config | MaxAuthTries 4 |
Set SSH MaxSessions limit
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_set_max_sessions |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_set_max_sessions:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-83357-4 References: 5.2.18 |
| Description | The MaxSessions parameter specifies the maximum number of open sessions permitted
from a given connection. To set MaxSessions edit
/etc/ssh/sshd_config as follows: MaxSessions 10 |
| Rationale | To protect a system from denial of service due to a large number of concurrent
sessions, use the rate limiting function of MaxSessions to protect availability
of sshd logins and prevent overwhelming the daemon. |
Verify if Profile set Value sshd_required as not required oval:ssg-test_sshd_not_required:tst:1 false
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed oval:ssg-test_package_openssh-server_removed:tst:1 false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| openssh-server | x86_64 | (none) | 6.el8_4.2 | 8.0p1 | 0:8.0p1-6.el8_4.2 | 199e2f91fd431d51 | openssh-server-0:8.0p1-6.el8_4.2.x86_64 |
Verify if Profile set Value sshd_required as required oval:ssg-test_sshd_required:tst:1 false
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is installed oval:ssg-test_package_openssh-server_installed:tst:1 true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| openssh-server | x86_64 | (none) | 6.el8_4.2 | 8.0p1 | 0:8.0p1-6.el8_4.2 | 199e2f91fd431d51 | openssh-server-0:8.0p1-6.el8_4.2.x86_64 |
maxsessions is configured oval:ssg-test_sshd_max_sessions:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/ssh/sshd_config | MaxSessions 10 |
Ensure SSH MaxStartups is configured
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_set_maxstartups |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sshd_set_maxstartups:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-90718-8 References: 5.2.17 |
| Description | The MaxStartups parameter specifies the maximum number of concurrent
unauthenticated connections to the SSH daemon. Additional connections will be
dropped until authentication succeeds or the LoginGraceTime expires for a
connection. To confgure MaxStartups, you should add or correct the following
line in the
/etc/ssh/sshd_config file:
MaxStartups 10:30:60CIS recommends a MaxStartups value of '10:30:60', or more restrictive where dictated by site policy. |
| Rationale | To protect a system from denial of service due to a large number of pending
authentication connection attempts, use the rate limiting function of MaxStartups
to protect availability of sshd logins and prevent overwhelming the daemon. |
Verify if Profile set Value sshd_required as not required oval:ssg-test_sshd_not_required:tst:1 false
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-sshd_required:var:1 | 0 |
Verify if Value of sshd_required is the default oval:ssg-test_sshd_requirement_unset:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-sshd_required:var:1 | 0 |
package openssh-server is removed oval:ssg-test_package_openssh-server_removed:tst:1 false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| openssh-server | x86_64 | (none) | 6.el8_4.2 | 8.0p1 | 0:8.0p1-6.el8_4.2 | 199e2f91fd431d51 | openssh-server-0:8.0p1-6.el8_4.2.x86_64 |
SSH MaxStartups start parameter is less than or equal to 10 oval:ssg-tst_maxstartups_start_parameter:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/ssh/sshd_config | MaxStartups 10:30:60 |
SSH MaxStartups rate parameter is greater than or equal to 30 oval:ssg-tst_maxstartups_rate_parameter:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/ssh/sshd_config | MaxStartups 10:30:60 |
SSH MaxStartups full parameter is less than or equal to 100 oval:ssg-tst_maxstartups_full_parameter:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/ssh/sshd_config | MaxStartups 10:30:60 |
Verify Group Who Owns SSH Server config file
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_sshd_config |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_groupowner_sshd_config:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82901-0 References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-17(a), CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.2.1 |
| Description |
To properly set the group owner of /etc/ssh/sshd_config, run the command:
$ sudo chgrp root /etc/ssh/sshd_config |
| Rationale | Service configuration files enable or disable features of their respective
services that if configured incorrectly can lead to insecure and vulnerable
configurations. Therefore, service configuration files should be owned by the
correct group to prevent unauthorized changes. |
Testing group ownership of /etc/ssh/sshd_config oval:ssg-test_file_groupowner_sshd_config_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_sshd_config_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| /etc/ssh/sshd_config | oval:ssg-symlink_file_groupowner_sshd_config_uid_0:ste:1 | oval:ssg-state_file_groupowner_sshd_config_gid_0_0:ste:1 |
Verify Owner on SSH Server config file
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_sshd_config |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_owner_sshd_config:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82898-8 References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-17(a), CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.2.1 |
| Description |
To properly set the owner of /etc/ssh/sshd_config, run the command:
$ sudo chown root /etc/ssh/sshd_config |
| Rationale | Service configuration files enable or disable features of their respective
services that if configured incorrectly can lead to insecure and vulnerable
configurations. Therefore, service configuration files should be owned by the
correct group to prevent unauthorized changes. |
Testing user ownership of /etc/ssh/sshd_config oval:ssg-test_file_owner_sshd_config_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_sshd_config_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| /etc/ssh/sshd_config | oval:ssg-symlink_file_owner_sshd_config_uid_0:ste:1 | oval:ssg-state_file_owner_sshd_config_uid_0_0:ste:1 |
Remove the X Windows Package Group
| Rule ID | xccdf_org.ssgproject.content_rule_package_xorg-x11-server-common_removed |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_xorg-x11-server-common_removed:def:1 |
| Time | 2022-11-07T15:05:53+00:00 |
| Severity | medium |
| Identifiers and References | Identifiers: CCE-82757-6 References: 12, 15, 8, APO13.01, DSS01.04, DSS05.02, DSS05.03, CCI-000366, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.PT-4, SRG-OS-000480-GPOS-00227, 2.2.2 |
| Description | By removing the xorg-x11-server-common package, the system no longer has X Windows
installed. If X Windows is not installed then the system cannot boot into graphical user mode.
This prevents the system from being accidentally or maliciously booted into a graphical.target
mode. To do so, run the following command:$ sudo yum groupremove base-x $ sudo yum remove xorg-x11-server-common |
| Rationale | Unnecessary service packages must not be installed to decrease the attack surface of the system. X windows has a long history of security
vulnerabilities and should not be installed unless approved and documented. |
| Warnings | warning
The installation and use of a Graphical User Interface (GUI) increases your attack vector and decreases your
overall security posture. Removing the package xorg-x11-server-common package will remove the graphical target
which might bring your system to an inconsistent state requiring additional configuration to access the system
again. If a GUI is an operational requirement, a tailored profile that removes this rule should used before
continuing installation. |
package xorg-x11-server-common is removed oval:ssg-test_package_xorg-x11-server-common_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_xorg-x11-server-common_removed:obj:1 of type rpminfo_object
| Name |
|---|
| xorg-x11-server-common |